«

»

Jun 06

Don’t hit the Panic button in your Linked-In account just yet

Linked In Offices PhotoNumerous reports are floating around the internet that LinkedIn, a social networking site for professionals, has been hit by hackers and some 6.46 passwords potentially exposed. But don’t go running out and closing down your LinkedIn account just yet. You probably aren’t affected. And, even if you are, you’ll know it the next time you try to login to your LinkedIn Account.

That said, there are basically two things you can do.

Change your password – tomorrow

Changing your password regularly is a good idea anyway. But with the high number of people trying to change their passwords today, your attempt is likely to lead only frustration and a forgotten password. Instead, take a deep breath, and consider that the stolen files are encrypted, and it will take time to decrypt them. That gives you some time to develop a plan to put your new password into play -tomorrow. In the meanwhile, here’s what you should do:

  1. Change your email account password (TODAY)
  2. Make a list of all the sites you use the same password on, with special emphasis on :
    1. Email Accounts
    2. Bank Accounts
      1. Checking/Credit Card/PayPal etc.
    3. Investment Accounts
    4. Vendor Accounts
      1. eBay, Sears, NewEgg, etc.
    5. Membership Accounts (especially those you pay for, or that can identify you)
      1. Facebook, Google Plus, Gym Memberships, Golf Clubs, etc).
  3. Skip the random email link prompting you to change your password (it could just as easily be a hoax or phishing)
  4. Plan your new password with five future changes in mind
    1. Try putting together a random, yet memorable, string of words, numbers, and syllables. Then you can change them later. Like this :
      1. FishGumboIs2Good!
      2. 2GoodIsFishGumbo!
      3. IsFishGumboGood2!
      4. FishIsGumbo!2Good
      5. 2!IsGumboFishGood
    2. As you can see, the content is the same, but the sequence can be changed 5 times and you’re likely to be on the same track. Come up with your own strategy – please don’t use these – make it something you can remember.
  5. Set aside an hour on your calendar tomorrow (and not a day later) to start logging in on those sites and changing your password.
  6. Put a reminder on your calendar to do this every 4 – 6 months.

Change other passwords? Are you crazy?

Any time that your email address and password may be at risk, you should change other passwords, and start with your email. Why?

  • People often use the same password everywhere, and the first place for a hacker to try your newly discovered username and password is your email.
    • The ramifications are huge. Just think about it. Your bank sends you email updates about your account. Now the hacker knows which bank you use.
    • Your contacts can now receive phishing emails from the hacker that appear to be from you.
    • And the list goes on.
  • Change all your passwords, starting with your email. Don’t forget your phone, and any linked accounts.

The History

Let’s take a moment to look at the data so far :

  1. The claim came in from reports of a “user on a Russian¬†forum” who said they had downloaded the encrypted password file.
  2. Various sites reported the claim, including ZDNet, Cert-Fi, USA Today, and so on.
  3. Linked In reported via LinkedIn that it was investigating the reports, but could not confirm an actual breach.
  4. Vicente Silveira posted about Security Best Practices.
  5. Vicente Silveira confirmed the breach and the documented the action being taken.

The Good

There is good in all of this. Specifically, LinkedIn does care about security. How doe we know?

  • Ganesh Krishnan was talking about security and LinkedIn back on May 23rd.
  • The total time from report to public action <= one day

Hopefully this will encourage LinkedIn to look at their various applications and tighten the security on them, too.

In the meanwhile, hopefully it motivates you to tighten your own online security; lest some hacker gain access to your account in a much less public manner.