Another day, another security breach. They’ve almost become routine to many of us.
This latest one actually happened in 2012, when LinkedIn, and later EHarmony, revealed that hackers had stolen the login info for about 6.5 million users. The new development is the revelation it actually affected over 100 million users. (Yes, that’s significantly more.)
LinkedIn has said in a blog post that it has "demanded that parties cease making stolen password data available" and will consider legal action if they don’t comply. And for now, the company is using what it calls “automated tools" to try to catch any suspicious activity.
If you use LinkedIn, chances are you’re among the 117 million users who need to change their password. Even if you’re not, you might consider strengthening it anyway.
“We’ve begun to invalidate passwords for all accounts created prior to the 2012 breach that haven’t updated their password since that breach,” wrote May Chow of LinkedIn’s corporate communication, in an email to the Los Angeles Times. "We’re also continuing to notify members via email and banners on our site.”
Most of us have become a bit nonchalant about breaches. However, an information security professor advises that we need to take more responsibility for our own security.
In fact, San Diego State’s Murray Jennex says that if you are online at all, you can assume you’ve been hacked.
“Everyone in the U.S. has probably been hacked once,” he said.
Technology has become intertwined in how we function individually and as a culture. But the nature of our digital lives has created penetrable doors to our personal data. In his classes, Murray asks students to do a risk assessment of themselves. Often there are almost 300 different information sets – think of all of your accounts, from Netflix and Amazon to Twitter, Facebook, Flickr and Instagram. Each one is a door to your data.
The reality is we often get lazy with our password construction. We may use the same simple, personally meaningful passwords, sometimes deviating only slightly across websites -- which makes them highly hackable.
“Part of the problem is ... it’s hard for us to remember large numbers of passwords,” Murray said. "We’re set up to be hacked, just by being human.”
He advises assuming that, regardless of where it’s posted, everything online is public: "Nothing is private.”
Back to LinkedIn. Hacked-data search engine LeakedSource claims to have obtained the user data as well. Motherboard reports that LeakedSource provided a sample of almost a million credentials, including email addresses, encrypted passwords and the corresponding hacked passwords. It claimed so far to have cracked “90% of the passwords in 72 hours.”
LinkedIn’s Chow tells The Times that the Mountain View, Calif., company is working to figure out "how many of what is purported to be available in this data set are current and/or active.”
As noted in the blog post from LinkedIn, changing your password on a regular basis “is always a good idea and you don’t have to wait for the notification.”
Chat me up on Twitter: @mmaltaisLA