LinkedIn Security Breach –What are the possible consequences of this breach?
Investigative journalism is vital in the wake of a breach.
There has been a media storm following the security breach at business networking site LinkedIn, and rightly so because it is big news, and a stark reminder to never be lax with security, whether you are a business handling the private information of thousands or millions of users or customers, or a private person.
Infosec Island website is highlighting many different issues in a series of critical articles following the LinkedIn Security breach. They go as far as calling LinkedIn negligent in an article entitled “LinkedIn Fails Security Due Diligence”:
“One can assume that poor security practices led to the password database ending up in Russia.”
LinkedIn has failed to meet industry standard in their security. Their password encryption algorithm (SHA1) was not good enough, in fact has been proven unreliable in the past, and they were not salting and hashing their user’s passwords. They do now, and it is a shocking that they needed to lose 6.5 million passwords to start taking simple security measures.
What is the point of memorising longwinded passwords consisting of letters and numbers if
- They are that easy to get hold of and; 2. They are not encrypted and secure.
“LinkedIn Either Failed To Meet Industry Standards Or Standards Need To Be Raised”
is another must read article from the same website.
Having established that LinkedIn had to raise their security standards, and that they may have been negligent with their users personal information, one question to ask is: what next?
We have already seen scammers attempting to flood users with fraudulent password reset emails purporting to be from LinkedIn.
-But what is there to worry about beyond this?
Jason Clark goes deeper into these issues in his article “LinkedIn Breach Part II: What You Need to Prepare for Next”
I will quote a passage from the article (but I urge you to have a read through the article in full)
“LinkedIn’s password breach could result in three serious ramifications for businesses everywhere:
- Cybercriminals can take advantage of trust and social engineering attacks. If you are ‘linked’ to a trusted colleague you are more likely to click on a malicious link sent from them, which may open the door to targeted attacks and confidential data theft.
- Many LinkedIn accounts are tied to other social media services, such as Facebook or Twitter, so posts with malicious links can also be spread to a larger audience.
- Most of us are creatures of habit and have the same password for multiple accounts. The consequences of a breached password could reach across email, social media, banking accounts, and mobile phone data.
In my last post, I provided an email template for you to share with employees about changing their individual passwords, but it doesn’t stop there. The truth is many of your employees are going to ignore changing their passwords.
So what next? Well, to be honest, you are just getting started. First, we need to look at the three likely attack scenarios that might develop from this breach:
- Employees are tricked into clicking a malicious link from a trusted colleague through their compromised friends status feed (this could be a broad or targeted attack).
- A generic spam email is sent from compromised accounts to one of your employees, leading them to a malicious site.
- Sophisticated attackers collect data on their target (your CEO, CFO, etc.), find a suitable LinkedIn contact to compromise and send a tailored lure, which will likely lead to data-stealing code. “
This security breach can therefore have serious consequences. 160 million users globally trust LinkedIn with their personal information. When you consider that LinkedIn have attracted business users who want to network on a professional level, in comparison with for example Facebook which is geared towards family and friends interacting, the reason why LinkedIn was targeted becomes quite obvious.
LinkedIn has become established as a valuable peer to peer marketing tool. You can clearly see the links between the various professionals in any given network, job titles, how they know each other, and their interactions. Knowing the personal details of the CEO of a company, and also the personal details and password of people this person trust is invaluable.
What can you do to protect yourself?
As a LinkedIn (or any forum) user or private person, there are really only two important things to bear in mind:
- Make sure you select a memorable and strong password,
- Do not use the same password on multiple sites, such as your online banking, shopping, and LinkedIn etc. You need one password for each.
If you have not already done so, change your LinkedIn password, and if you have used the same password across many sites, change them all.
As a business you need a strategy such as in the above article, and to educate your employees. The message is the same as the above though, it is just developing a strategy that will ensure that the message is delivered and acted upon.
LinkedIn aren’t the the first website to neglect security and lose your personal information to hackers, and they will most likely not be the last. As a rule of thumb, be cautious of criminals trying to use your personal information against you. Their motives in getting this information is to try to make money from it, such as through identify theft or as an elaborately personalised phishing Email. Always be suspicious and be cautious of Email/Phone communications.
One final piece of advice, which cant be repeated enough: Change your passwords!
-The Omniquad Team