I’ve posted a few times over the years the … disappointing … state of LinkedIn’s engineering. But this takes the biscuit: it appears they were storing deliberately insecure passwords, and someone leaked the list:
http://news.ycombinator.com/item?id=4073309
(that page has links + info on how to check if your own password is in the mega list)
How bad is this?
- Many people have checked their personal, unique, passwords, that they claim to have only ever used on LinkedIn.com – and they’ve hit matches in the file.
- LinkedIn hasn’t told its users about the possible leak, more than 24 hours after it happened
- Many users re-use their passwords on other sites; any hackers could easily have stolen many accounts on other sites by now
How unlucky is LinkedIn?
This file is unsalted. That’s about as smart as locking your front door and then leaving the key under the mat – on the outside.
- Every tutorial, book, “newbie guide”, etc about using databases and writing login pages tells you never ever to do what was done here
- For any tech team, it is easy to check if this is what you’re doing, and tell your boss “uh, we need to fix that”
- It only takes a few *minutes* to prevent this problem, permanently. It’s not difficult
If LinkedIn were a small site, with a few hundred thousands users, I’d accuse them of laziness. But with 165million users, and a public company, you’d be looking at stunning incompetence by the tech wing of the company (the CIO and CTO never bothered to audit their own security?), or wilful negligence (no-one knew? really?).
Here’s hoping it’s a hoax…
2 replies on “LinkedIn (maybe) just leaked your password, won’t tell you; change it now”
As if storing unsalted passwords wasn’t bad enough, the thing that irks me even more about this is, as ever, how low key they’ve kept it. When a website gets hacked / breached, I _never_ find out from the site itself — it’s always from friends or other websites.
Yeah … it took them THREE DAYS to “bother” informing me.