LinkedIn has clarified their efforts to contain the much talked-about password breach that occurred last week. In an email to members of the media late yesterday, they summarized their work to secure their site after a breach that revealed over 6 million user passwords.
As we reported here, there didn’t seem to be any immediate danger to member accounts (and LinkedIn confirmed this), although there was some additional concern about how the breach occurred and how they would respond to ensure that a future breach wouldn’t allow passwords to be revealed.
According to the email, LinkedIn disabled user passwords that were impacted by June 7 (a day after the breach). Their customer service team reached out to those users and let them know how to reset their passwords. As of yesterday, there had been no compromised accounts. They also made sure to clarify that they had seen no impact on their sign up numbers or with people leaving the network.
Passwords now hashed and salted
LinkedIn also clarified that passwords are now both hashed and salted (previously, they had only been hashed). In case you think this turned into a conversation about breakfast food, Joe Basirico, Director of Security Services for Security Innovation, explained the difference in a post last week:
What could LinkedIn have done to protect you from your own poor password choice? Well, they could have required a Password Policy, but everybody seems to hate those. They could have also added Salt. No, not that salt, this Salt.
In software we call a chunk of random data that we add to passwords “salt.” Since your password is so easily guessable it’s likely it already exists in somebody’s Rainbow table so the lookup would be really quick and easy. We want to make them work for it. So for each user I generate, say, 10 extra random characters to add to each password. This means I generate some random characters “7%bKeVm!fN” and add that to your password turning it into LvBieber7%bKeVm!fN If I do this for every user the hacker has to generate a rainbow table for each user independently.”
If you want to get into the specifics of the security measures, that post (and the thread on Reddit) is a great start.
Unfortunately, LinkedIn didn’t reveal how the breach occurred or what measures are being taken to prevent a future breach. They did say they were working with law enforcement and they were taking unspecified security measures.