BU Today

Science & Tech

LinkedIn Hacking: What You Need to Know

BU expert suggests changing passwords elsewhere too

7

People who changed their LinkedIn password in the wake of a recent hack attack that exposed more than six million of those passwords may still be at risk of further security breaches, according to BU’s cyber-safety chief.

Quinn Shamblin, Information Services and Technology executive director of information security, advises people to change the password on any other sites and accounts where they’ve used their LinkedIn password. His warning follows criticisms by experts of lax security at career-networking site LinkedIn.

“Most people use the same password in lots of places,” Shamblin says. “So when a hacker cracks your LinkedIn password, he or she will immediately try that password on Facebook, Gmail, Yahoo! and other popular sites.” Accessing a person’s email in particular reveals institutions that the victim deals with, possibly enabling the hacker to breach accounts with banks, credit card companies, and vendors like PayPal and Amazon, he says.

LinkedIn and the dating site eHarmony, which apparently lost 1.5 million passwords to the same hacker, have been alerting users whose passwords they believe were compromised. Shamblin worries that young people at BU and elsewhere are especially vulnerable.

“Our students are starting to work on their professional network, and so there is a good chance that many of them are on LinkedIn or eHarmony or Last.fm, all of which have had breaches of their password databases in recent months,” he says.

He also advises students to be on guard against phony phishing messages urging them to change passwords. “I guarantee that we will shortly see emails claiming to be from these sites, providing a link to change their password. But the link doesn’t actually go to the site in question,” Shamblin says, “but rather to a web page infected with malware or some other malicious intent.”

There are ways to spot such scams, he says. The message may claim to be from a compromised site, such as LinkedIn, but then asks you to click a link that’s not to LinkedIn at all (www.weswearwerelegit.com, to use Shamblin’s made-up example). In some cases, the link may claim to be from LinkedIn, but if you hover your cursor on it without clicking, it will indicate if it’s actually taking you to a phony site. And, says Shamblin, you should be suspicious of any unintelligible links—something such as http://182.34.56.0.@3476544375/o%62s%63ur%65%. Find advice from the University on detecting a phishing email here.

LinkedIn apologized for the breach in a statement on June 6.

Shamblin offers these security tips:

  • Consider using a password management tool. These tools allow you to store and encrypt multiple passwords. “This lets you have a different password for every site, and the passwords can be very strong, but you don’t have to remember all those strong passwords,” he says. The tool itself requires a password, but once you type it in and then go to a website, the tool enters that site’s password for you. A breach of one site doesn’t jeopardize your info on other sites, since each site has a different password. Shamblin suggests shunning built-in managers offered by some Web browsers, recommending instead “stand-alone” managers such as KeePass, Password Safe, or 1Password, which are free. For-sale managers may offer enhanced features, he says.
  • Don’t use your email password for anything else. Ditto for your banking password.
  • You can use the same password for credit card sites and PayPal, but don’t use it for other types of sites.
  • Use a generic password for sites that don’t have any of your personal information. And make sure any social sites and those with your credit card information, such as Amazon.com, have different passwords than for those low-security, non-personal-info sites.

This story was originally published on June 13, 2012.

7 Comments
Rich Barlow

Rich Barlow can be reached at barlowr@bu.edu.

7 Comments on LinkedIn Hacking: What You Need to Know

  • Meg on 06.13.2012 at 6:22 am

    What password management tools would Shamblin recommend? Are any easy to use while on the go? I do most of my web surfing/purchasing on my iphone. Thanks.

  • Mike on 06.13.2012 at 8:30 am

    Heh. Interesting that this article recommends a password management tool when the BU auth/login page specifically disallows such tools…

  • Eduardo on 06.13.2012 at 10:49 am

    I am not able to access my account, and have not received the email targeting.

  • Dawn on 06.13.2012 at 11:31 am

    These password manager companies must love it when this happens. A million articles just like this one that are talking about password managers start to be posted the minute there are reports of passwords being stolen. People need to understand that neither the strength of your password or having it locked-up in Fort Knox will mean anything when it is stolen from the source! People need to be talking less about passwords and more about other steps that need to be implemented like some form of 2FA were you can telesign into your account and and have the security knowing you are protected if your password were to be stolen. If they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.

  • Jeanie on 06.13.2012 at 3:07 pm

    yeah i agree with Dawn the password managers must be getting tons of press. i have always used roboform for the past few years so i create a different password for each login with the password generator so even if my password gets leaked by hackers they cant use my passwords on any other of my logins.

  • Barbara on 10.02.2012 at 10:57 am

    According to the website, 1Password isn’t free. It costs $50. KeePass and Password Safe both are free.

Post Your Comment

(never shown)