This has been a rough day for LinkedIn in terms of security.
First their iOS app was discovered to be transmitting details of meetings in plain text, when users opted to sync their calendar with the LinkedIn servers. This means that any text that was included in the meeting (including phone numbers, names of attendees, or any other confidential data) was at risk of being swiped in transit. An update is now available, and LinkedIn has published a statement which discusses the changes that were made to fix this issue.
And then a more concerning development: A Russian hacker has posted a list of password hashes on a public forum, that appear to have been taken from LinkedIn. The details of this event are still being investigated, but what this means to you and me can be boiled down pretty simply.
- Your LinkedIn password is publicly available, though this is currently in encrypted format. It’s not likely to stay encrypted for long.
- If the hackers have your password, the odds are very good that they also have your username and other details.
- If you use this username and password combination on any other site, it is imperative that you change your password on the other site as well as LinkedIn.
- LinkedIn has not yet identified the cause of the breach, which means they haven’t fixed it yet either.
- You should change your password on LinkedIn now, using a strong password that you do not use on any other site.
- You should change your password again soon, as the hole the hackers came through is still open.
- If you use LinkedIn Premium, be aware that your credit card information may be compromised.
Also bear in mind that this may be used in the near future by phishers. You should only change your password by going directly to LinkedIn, not through an email.