On Wednesday, 25th May, many people opened their emails to find a mail from LinkedIn sitting in their inbox. But unlike other times, this wasn’t a mail that suggested the users about relevant job openings that they qualified for, or pitched free members to upgrade for better visibility. This was an internet security mail from “LinkedIn Legal” – as it appeared on the sender’s name – to console LinkedIn account holders that everything was under control.
Conversely, it also meant that something had gone wrong and LinkedIn was trying to cover up the gaps.
The mail opened with, “You may have heard reports recently about a security issue involving LinkedIn. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you.”
The context in the mail is about a data breach in LinkedIn that took place in 2012, when hackers stole data belonging to almost 167 million LinkedIn users and traded them in the black market for hefty prices. The stolen data included users’ email addresses, LinkedIn IDs, passwords, etc. Many internet security companies reported the breach of about 6.7 million passwords, which was later confirmed to be near 117 million passwords.
On Wednesday, though, the professional social network website came clean to its stakeholders by admitting the breach and assured that swift measures were underway to contain the internet security damage.
“This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach,” claims the 350-words-long email.
Furthermore, the company is convincing its client base that it has “several dedicated teams working diligently to ensure that the information members entrust to LinkedIn remains secure.” Several media outlets have speculated that around a quarter of its existing 433 million users might have been subjected to the breach incident.
The 4-year-old internet security blunder brings some amount of embarrassment to LinkedIn, the world’s biggest professional networking website that boasts global leadership in its domain over any other website. Back in 2012, LinkedIn didn’t have a very well thought-out, rigid password policy which became an easy target for hackers to compromise. Although it had become a well-known eight-year-old start-up by then, LinkedIn didn’t think it was important enough for the company to encrypt its account holders’ password to protect against identity thefts. Back then, the company lacked the internet security intelligence and the website didn’t have a strong security parameters implemented to it against online attacks.
Although LinkedIn has made it clear that it is invalidating only the accounts that haven’t had a change of passwords since the time of the breach incident, LinkedIn users should take caution to ensure that their LinkedIn information is safe against data theft. A rule of thumb is to change your existing password and strengthen it. More importantly, you should opt for two-factor authentication (2FA) that requires you to key in a secondary piece of evidence (most likely through a physical token such as a text message that is accessible exclusively to you) in order to access your account.