Yet another mega money-making company has failed to protect it's greatest resource: Customer Information.
Recent reports indicate that a database full of encrypted passwords of LinkedIn users was lifted from right under LinkedIn noses.
LinkedIn verified and then apologized for the breach. Sorry, they said. Sorry for what? Was this an accident? Sorry for.... having lax security? Sorry we failed you? No, they said they are sorry for the "inconvenience".
Yes, it is very inconvenient for the criminals in Russia to now have closer access to my work history, my friends' work history, contact information, private messages containing PII, Identity theft information of thousands of connected users and myself.
I DO feel a little better knowing that the usernames were not stored with the passwords; it's unknown whether the two can be associated however. So, really, we're all sitting around here, hoping and guessing they don't have enough information on us to use to login... I can't help but feel even more vulnerable.
Aren't you a little tired of companies being sorry for the "inconveniences" they may have caused you? Especially if you've been a victim of Identity Theft, having to change cards, close accounts, deal with a bad credit score.... etc. Having to deal with everyone trying to get your identity restored could take years! It takes a financial and mental toll.
One can assume that poor security practices led to the password database ending up in Russia. We can also say that the best security practices were not applied to the security of our passwords: LinkedIn did not "salt their hash" and therefore the passwords were much more vulnerable to simple brute force attacks once the Russians got ahold of them.
Wouldn't salting the hash be considered reasonable security practice? I guess LinkedIn now thinks so, because as a result of this loss, they now salt their hash.
Folks, that is called 'reactive security mitigation' and to me, that means LinkedIn was negligent in it's proactive diligence. You don't wait until you have an incident to review your information security and make changes. And what this really says to me is that LinkedIn is not serious about securing our data.
The failure rate of these so-called 'stewards' of our information is very alarming and I think, IMHO, it's time to hit them where it hurts - in their wallets. Time to punish companies that lose your data resulting from substantiated negligent security practices. Period.
Anyone who fails this duty and completely disregards the safety and security of our information needs to be held accountable. It's the only way to get these companies to take better care of our information.
I don't know if LinkedIn was truly negligent, but if I were LinkedIn, I'd offer more than an apology for an inconvenience; I'd start giving out some premium services or something worth.... something!