InfoSec Blog - LinkedIn Breach Information

 

May 26, 2016

As you may already be aware, LinkedIn suffered a serious data breach in 2012. While the actual breach occurred a number of years ago, the data taken at that time has only became public within the last week and is now freely available on the internet. Data stolen in the breach included LinkedIn member email addresses and passwords. The passwords were encrypted, however, the encryption method used was very weak and most passwords can be cracked within hours (an interesting analysis of the most common passwords in the breach can be found here - http://fortune.com/2016/05/18/linkedin-breach-passwords-most-common/).

If you have a LinkedIn account affected by the breach, you should have already received a notification from LinkedIn advising you of the situation and describing the efforts that the company is taking to address the situation. The Information Security team has also advised anyone using their University of Guelph email account with an impacted LinkedIn account to change both their LinkedIn and University passwords as a precaution.

 

This is also a good opportunity to remind the entire campus community to always practice good password security habits:

  • Ensure your University password is never used for any other accounts
  • Use unique passwords for all of your online accounts
  • Change your passwords on a frequent basis (i.e. every 6 months)
  • Always use a strong password or passphrase (see the InfoSec Blog “The Master Passphrase - One Password To Rule Them All”)
  • Consider using a password manager to keep track of all your passwords (see the InfoSec Blog “How I Learned to Stop Worrying and Love my Passwords”)
  • Use two-step verification on sites that offer it (LinkedIn offers this service and you can learn how to configure it here)

 

Additional information on the LinkedIn breach can be found here - https://blog.linkedin.com/2016/05/18/protecting-our-members and http://thehackernews.com/2016/05/linkedin-account-hack.html

 

Written by: Stephen Willem (Manager, CCS Information Security)