LinkedIn Hacking: What You Need to Know

BU students whose LinkedIn passwords were hacked may need to change their passwords for other confidential sites.

People who changed their LinkedIn password in the wake of a recent hack attack that exposed more than six million of those passwords may still be at risk of further security breaches, according to BU’s cyber-safety chief.

Quinn Shamblin, Information Services and Technology executive director of information security, advises people to change the password on any other sites and accounts where they’ve used their LinkedIn password. His warning follows criticisms by experts of lax security at career-networking site LinkedIn.

“Most people use the same password in lots of places,” Shamblin says. “So when a hacker cracks your LinkedIn password, he or she will immediately try that password on Facebook, Gmail, Yahoo! and other popular sites.” Accessing a person’s email in particular reveals institutions that the victim deals with, possibly enabling the hacker to breach accounts with banks, credit card companies, and vendors like PayPal and Amazon, he says.

LinkedIn and the dating site eHarmony, which apparently lost 1.5 million passwords to the same hacker, have been alerting users whose passwords they believe were compromised. Shamblin worries that young people at BU and elsewhere are especially vulnerable.

“Our students are starting to work on their professional network, and so there is a good chance that many of them are on LinkedIn or eHarmony or Last.fm, all of which have had breaches of their password databases in recent months,” he says.

He also advises students to be on guard against phony phishing messages urging them to change passwords. “I guarantee that we will shortly see emails claiming to be from these sites, providing a link to change their password. But the link doesn’t actually go to the site in question,” Shamblin says, “but rather to a web page infected with malware or some other malicious intent.”

There are ways to spot such scams, he says. The message may claim to be from a compromised site, such as LinkedIn, but then asks you to click a link that’s not to LinkedIn at all (www.weswearwerelegit.com, to use Shamblin’s made-up example). In some cases, the link may claim to be from LinkedIn, but if you hover your cursor on it without clicking, it will indicate if it’s actually taking you to a phony site. And, says Shamblin, you should be suspicious of any unintelligible links—something such as http://182.34.56.0.@3476544375/o%62s%63ur%65%. Find advice from the University on detecting a phishing email here.

LinkedIn apologized for the breach in a statement on June 6.

Shamblin offers these security tips:

• Consider using a password management tool. These tools allow you to store and encrypt multiple passwords. “This lets you have a different password for every site, and the passwords can be very strong, but you don’t have to remember all those strong passwords,” he says. The tool itself requires a password, but once you type it in and then go to a website, the tool enters that site’s password for you. A breach of one site doesn’t jeopardize your info on other sites, since each site has a different password. Shamblin suggests shunning built-in managers offered by some Web browsers, recommending instead “stand-alone” managers such as KeePass, Password Safe, or 1Password, which are free. For-sale managers may offer enhanced features, he says.
• Don’t use your email password for anything else. Ditto for your banking password.
• You can use the same password for credit card sites and PayPal, but don’t use it for other types of sites.
• Use a generic password for sites that don’t have any of your personal information. And make sure any social sites and those with your credit card information, such as Amazon.com, have different passwords than for those low-security, non-personal-info sites.

This story was originally published on June 13, 2012.