Poor security

It’s now several days since I read online that LinkedIn’s security had been breached and a Russian hacker’s site had apparently published nearly 6.5 million passwords.  LinkedIn has 150 million users, so this was less than 5%, but that wasn’t much comfort.

I read lots of advice re what do to, and the idea that stood out, for me, was that there was no point in changing a potentially hacked password if the hack had not been fixed, as this was tantamount to handing my new password to the hackers.  So I waited to hear from LinkedIn.

Meanwhile, I found a website that invited LinkedIn users to submit their password to see if it was on the hacked list.  (You didn’t have to enter your account, just your password.)  I tested it with a random number/letter list, and was told this wasn’t on the list, then entered my real password and was told it was.  The advice was to change it immediately, and any other sites where I use the same password, but I hadn’t heard anything from LinkedIn, so I did nothing.

Then LinkedIn announced that they had confirmed the hack and were taking action.  Still no direct communication from them.  I read elsewhere that if my password was one of the hacked ones I would get an email from LinkedIn.  This morning that email finally arrived.

I’ve changed my password.  And yes, I was using it on several other sites too, despite knowing it was a relatively insecure password, so I’ve spent some time this morning changing them all.  It’s been a poor showing by LinkedIn, but I have to acknowledge my own security has been poor too, and it looks like I’ve been lucky in getting this wake-up call, with (hopefully) no damage done.

I wonder whether the hackers deliberately targeted and published weaker passwords like mine?  In any case, I suspect we haven’t heard the last of this.