Last night, Russian hackers compromised over six million passwords on the LinkedIn network and posted them in plaintext on hacker forums around the net. Though it is a major security breach, if one were to classify the severity of the information disseminated, it’s only created a moderate risk to the average user, compared to more devastating breaches like the Sony hack from last year. Here’s why:
The passwords released were not linked to accounts.
We took a look at the actual data released and found that they only were able to compromise the passwords, not the username or email associated with the account. There’s no way of telling which password goes with which user account. That means that your LinkedIn account, or any other account sharing the same password, are safe, as hackers didn’t retrieve enough information to be able to log into your accounts.
Only a small fraction of LinkedIn accounts were compromised.
About six million passwords were leaked of the 161 million professionals who use the site. That’s about 4% of the site’s users. You’re about 25 times more likely to have a secure password than a compromised password.
No billing information was compromised.
Sony hacks compromised emails, passwords, names, phone numbers, postal addresses, and billing information, including credit card numbers, expiration dates, and security codes. The LinkedIn hackers only retrieved passwords, there is no information available linking passwords to users, either in real life or through online accounts.
If your password was compromised, your account has been locked.
Good disaster management by LinkedIn led to a near-immediate response when the breach was discovered. Compromised users who visit LinkedIn will find their password simply no longer works. Instructions on how to re-activate your LinkedIn account will be available on this page if your password was compromised.
LinkedIn is notifying users who have been compromised.
LinkedIn has scheduled a series of emails notifying users with compromised accounts that their passwords may be available in the public domain. If you share your LinkedIn password with any other site, you’ll be able to go and change the password if you receive a notification.
But… Is that all the information the hackers retrieved?
Just because hackers only released six million passwords doesn’t mean that more detailed account information, or the rest of the passwords, is not circulating in the black market. We may see a release of more information in the coming days, or if the information is sold directly to a cybercriminal organization like the Russian mafia, we may never be aware of the breadth of the breach. For this reason, and for this reason alone, you should treat this compromise as a serious risk, and change your LinkedIn password as well as any other passwords associated with your LinkedIn email address.