Last month LinkedIn announced to the world that username and password data from 167,370,910 accounts had been obtained illegally from their site. Fortunately the data breach did not include credit card details and was directly associated with an earlier incident in 2012.
Ironically, the timing meant that Microsoft would have been in the middle of acquisition negotiations following due diligence. It was an opportunity for LinkedIn to show their values and culture... they passed with flying colors... but not everyone agrees with me.
LinkedIn immediately got on the front foot to protect their members and the LinkedIn brand. Here is LinkedIn's official statement on May 18, 2016. They also e-mailed all members who were potentially affected and forced password changes before those users could log back in.
Never seek to hide what can be discovered. Transparency and honesty is always best.
If you're wondering if you are one of the LinkedIn users impacted by this breach? Well, stop trying to figure it out and just change your password immediately. Seriously, change it right now. You should change passwords regularly on all online accounts as a matter of course.
The biggest risk does not come from hackers or cyber-criminals... you personally are actually the weakest link in the security chain.
Watch this video and you'll understand that the way users create and manage their passwords is the biggest security risk... and many use a common password across many platforms.
I discussed all this with a IT security expert, Olsi Selfo, and here is his advice based on years of experience working with some of the biggest banks in the world and cyber-security specialists from defence and other rigorous security environments.
The following is from Olsi Selfo.
It’s always a good idea to change your passwords regularly and to never, ever use the same password for two different accounts. And no, you shouldn’t paste all those different usernames and passwords into a plain text file so you can remember them. Instead, use a secure password manager that can sync your passwords across all devices and keep them safe but easily accessible.
LeakedSource published a table showing the most commonly used passwords on LinkedIn and it’s just as bad as you think it might be. The most commonly used password is “123456” and it was found on 753,305 accounts. The second most common password was “linkedin” which was used on 172,523 different accounts, and then “password” on 144,458 accounts. Login credentials - especially to social media sites - are a valuable commodity for 'black hat' hackers. One of Olsi's sources claims that '123456' appears more than a million times (1,135,936 to be precise) in another dump, a long way ahead of 'LinkedIn' with 207,000. The most common "base word" used in the passwords is, unsurprisingly “LinkedIn”.
Regularly changing your password is always a good idea and be proactive.
Voluntarily changing passwords manually on a regular basis is a goof idea but do not create passwords based on very simple and very predictable patterns. This means it is very predictable to hackers. Two-step verification is the next level of security to be considered.
Linkedin introduced 2-step verification using SMS. Although not immune against a determined hacker in a targeted attack, it is much better than nothing. What Linkedin really should do is to promote the existence of security risks better, and go beyond mere password changes. That really isn't enough with today's threat landscape.
Personally I recommend two-step verification as a good tradeoff between security and usability for most applications. I'll even admit that a single password might not be enough in all cases. So go ahead and configure 2FA wherever you can.
Hackers use stolen e-mail information to lure users into giving away more information including birth dates, credit card numbers and bank account access. In 2014, cyber criminals stole $16 billion from nearly 13 million consumers.
All the more reason, say experts, to regularly change passwords — even monthly. ‘And more importantly, you should also be thinking about one site, one password,’ said Lucy Millington, head of corporate security for Sophos Cyber Security. ‘So don’t re-use a password, don’t use the same password for the bank, as you do for retail shopping, as you do your email.’
So what’s a good password? Well, for starters, don’t include the names of your children, pets or home addresses—all information that could easily be found online. Instead, use abstract combinations of letters, numbers and characters that a criminal’s computer program couldn’t easily guess. Mixing languages is another way to throw off hacking programs. Running together the lyrics of a song could also help strengthen passwords.
Experts advise paying for credit monitoring to watch for suspicious activity. And be very suspicious of all incoming emails that could be phishing for more sensitive information.
‘A breach is inevitable,’ Payton said. ‘That information that you’ve entrusted someone else with is eventually going to be hacked.’ Experts say a moment of distraction and a click on a bad link can invite cyber-crooks a world away.”
Thanks Olsi for sharing your experience and provide such valuable advice!
If you valued this article, please hit the ‘like' and ‘share’ buttons below. This article was originally published in LinkedIn here where you can comment. Also follow the award winning LinkedIn blog here or visit Tony’s leadership blog at his keynote speaker website: www.TonyHughes.com.au.
Main Image Photo by Flickr: Ken Yeung - President Obama at LinkedIn for Town Hall