Protect your resume! Save your professional contacts! Apologize to your boss! Rumors recently started flying around about a potential security breach of the business social networking website LinkedIn. Initial reports speculated as many as 6.5 million user passwords may have been compromised and publicly posted.
A post on the LinkedIn blog also confirmed that there had been a security breach, but the post didn’t specify the number of compromised passwords.
“We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts,” Vicente Silveira, director at LinkedIn, wrote. “We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts: Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.”
The post goes on to explain users with compromised accounts will receive emails detailing how they can reset their passwords. The emails won’t contain any links, so avoid any message that asks you to click on something – it could be a scam taking advantage of the high-profile attack.
Although experts suggested to change your password if your account was compromised, that still leaves the question of what you should change your password to. A CNET article highlighted the qualities of a secure password. Use passwords that are not found in the dictionary, are six characters or more in length and that have a mix of numbers and letters. You’re also more secure if you use different passwords for different websites, so if one account becomes compromised, your others are still safe. CNET suggested using password management software to make them easier to remember..
Hacking isn’t the only threat to your privacy on LinkedIn
The security breach is bad enough for LinkedIn, but it causes additional concern for the privacy issues surrounding LinkedIn’s iOS app. The application allows users to view their calendar entries, making it convenient to track meeting and other important event dates. What LinkedIn conveniently forgot to tell everyone is that, once enabled, the app started sending the calendar data to LinkedIn servers.
The privacy problem was discovered by researchers Yair Amit and Adi Sharabani, who wrote suggestions for how LinkedIn should move forward in a blog post.
“In order to achieve its desired functionality, the LinkedIn app should refrain from sending full meeting details to their servers. Instead, the app should communicate to LinkedIn’s servers only a small relevant subset such as the attendees of the meeting,” wrote Amit. “In a matter of fact, the users’ privacy can be further improved by sending-over hashed versions of the contacts data instead of the raw contacts data, thus preserving a better privacy model. In addition, we believe the app should clearly communicate to its users the kind of information it sends back to LinkedIn’s servers.”
Applications that collect user data without a clear indication they are doing so may be in violation of Apple’s privacy guidelines. Amit and Sharabani suggest Apple improve its app screening process so similar applications aren’t allowed on iOS devices. Although LinkedIn may have used the data in completely harmless ways, hackers attempting to access that information are likely to have more nefarious plans.
Is LinkedIn at fault for the recent security breach? Should the company put better security measures in place? Does LinkedIn’s iOS app go too far by not informing users it is sending data to the company’s servers?