14 DAY TRIAL // LinkedIn representatives still haven’t clearly said “yes, we have been breached” or “we haven’t been breached,” but while they continue to investigate the massive password leak, they reveal the fact that the law enforcement has been notified, the matter being currently investigated.
Vicente Silveira, the LinkedIn director who has been in charge of letting the world know about the results of their investigation, has made a new update, unveiling the security improvements the company has made to protect potential victims.
“Our first priority was to lock down and protect the accounts associated with the decoded passwords that we believed were at the greatest risk. We’ve invalidated those passwords and contacted those members with a message that lets them know how to reset their passwords,” Silveira wrote.
“Going forward, as a precautionary measure, we are disabling the passwords of any other members that we believe could potentially be affected. Those members are also being contacted by LinkedIn with instructions on how to reset their passwords,” he added.
He also highlights the fact that to their knowledge, the usernames associated with the passwords still haven’t been made publicly available. Of course, that doesn’t necessarily mean that cybercriminals don’t have them.
While some argued that the number of exposed passwords may be much higher than 6.5 million, LinkedIn is sticking to that figure.
There’s one other observation we must make. How come large companies start salting their passwords only after a few millions of their customers become exposed? It has been known for years that unsalted hashes, especially the ones of simple passwords, are easy to decrypt.
LinkedIn’s current production database for account passwords is hashed and salted, but this entire situation might not have been so critical if this additional security layer had been implemented earlier.
Even more worrying is the fact that there are still some websites which store data in plain text. Wake up people! Protect your users, don’t just say that you “take security seriously”.