Yesterday, LinkedIn clarified its efforts to contain the password breach that occurred last week. In an e-mail to members of the media, it summarized its work to secure its site after a breach that revealed more than 6 million user passwords.
As we reported, there didn’t seem to be any immediate danger to member accounts (and LinkedIn confirmed this). There was some additional concern about how the breach occurred and how it would respond to ensure that a future breach wouldn’t allow passwords to be revealed.
According to the e-mail, LinkedIn disabled user passwords that were impacted by June 7 (a day after the breach). Its customer service team reached out to those users and let them know how to reset their passwords. As of yesterday, there had been no compromised accounts. LinkedIn also made sure to clarify that it had seen no impact on its signup numbers or with people leaving the network.
LinkedIn also clarified that passwords are now both hashed and salted (previously, they had only been hashed). In case you think this turned into a conversation about breakfast food, Joe Basirico, director of security services for Security Innovation, explained the difference in a post last week:
What could LinkedIn have done to protect you from your own poor password choice? Well, they could have required a Password Policy, but everybody seems to hate those. They could have also added Salt. No, not that salt, this Salt.
In software we call a chunk of random data that we add to passwords “salt.” Since your password is so easily guessable it’s likely it already exists in somebody’s Rainbow table so the lookup would be really quick and easy. We want to make them work for it. So for each user I generate, say, 10 extra random characters to add to each password. This means I generate some random characters “7%bKeVm!fN” and add that to your password turning it into LvBieber7%bKeVm!fN If I do this for every user the hacker has to generate a rainbow table for each user independently.
If you want to get into the specifics of the security measures, that post (and the thread on Reddit) is a great start.
Unfortunately, LinkedIn didn’t reveal how the breach occurred or what measures are being taken to prevent a future breach. It did say it was working with law enforcement and it was taking unspecified security measures.