One of the first things Internet users do when they sign up for a new service, or become a member of a website, is register a password they believe to be unique. This password is often the main form of visible security users have, and they trust websites with them. If a hacker gets hold of a password, it’s a big problem. This recently happened to LinkedIn users.
LinkedIn is a popular social media site that caters to professionals and helps them to network and find jobs. In the past few days, news stories have emerged about how members’ passwords were leaked online.
How passwords work
The password you enter to access a website like LinkedIn acts as a handshake to confirm that the user trying to access the account is who they say they are. Remember the last time you signed up for a new account, and had to enter the password you’re going to use? The owner of the website stores that password in a, normally encrypted, file and tells the Web page to reference this file when you log in. If the passwords match, you’re allowed in. If not, you get the password error page.
A hacker discovered a way to exploit the calendar feature in the LinkedIn mobile app. Basically, when the calendar in LinkedIn was updated, the information, including your password is encrypted and sent to LinkedIn’s servers, which then update your profile with the information. The hacker developed a way to grab the encrypted password data for around 6.4 million users.
The hacker then published the encrypted passwords online for other people to decrypt. LinkedIn has released an update to the mobile apps to plug this leak, but the passwords are still online.
What does this mean for me?
The chances of your account’s password being among the ones leaked is pretty small. However, if your password was posted, someone with programming and encryption knowledge could decipher it, and gain access to your account. If this happens, this poses a security risk as they will be able to access any and all data you have stored on that account. Beyond that, if you use the password for other accounts, they could gain access to them also.
How do I know if my password was compromised?
LinkedIn knows of the leak and has taken steps to minimize the damage.
- When you next try to log in to your LinkedIn account, you’ll get a message telling you the password no longer works.
- LinkedIn has emailed users whose passwords have been leaked informing them to change their password. This email has no links in it, so if you get an email supposedly from LinkedIn with links to change your password, DON’T click on the link. There have been reports of such emails (with links) being sent out. These emails are phishing schemes which aim to steal your password.
- LinkedIn will send you a follow-up email explaining more about what happened and why you were asked to change your password.
Alternatively, you can go to lastpass.com and test your password.
If you haven’t received an email, your password probably wasn’t leaked. We do suggest that, for security reasons, you change your LinkedIn password as soon as you can. You can do this by:
- Going to LinkedIn’s website and logging in.
- Hovering your mouse over your name in the top right corner of the window and selecting Settings from the drop down menu.
- Clicking on Account located in the pane underneath your profile picture. If you don’t see Account click on the grey shield icon.
- Selecting Change password and following the instructions.
If you feel that your accounts are unsecured, or would like to enhance your current security, please contact us. We may have a solution for you.