One year ago this month, 6.5 million passwords were taken from LinkedIn. Last week, the company proved they are still fine-tuning their security posture by introducing two-factor authentication to the mix.
It was the story of the summer in 2012. LinkedIn, 24-hours after the story broke, confirmed that a list of 6.5 million passwords uploaded to a Russian forum came from their site. Given LinkedIn’s connection to the business world online, such a security incident had a wide reach. LinkedIn never commented on the results of their internal investigation into the incident, but it remains one of the largest breaches on record for the year.
What was confirmed however is that the stolen passwords were stored without salt, an extra measure of password protection when combined with a hashing algorithm (LinkedIn used SHA-1). The lack of salt allowed the members of the Russian forum to crack all 6.5 million passwords in less than two weeks.
Part of the recovery included password changes, which would introduce new protections including “hashing and salting of our current password databases,” LinkedIn noted in a statement at the time.
Later it was disclosed in their Q2 2012 financials that the breach cost LinkedIn upwards of $1,000,000, most of which was used for forensics work and other incident response measures. The company’s CFO, Steve Sordello said that an additional $2-3 million would be spent on additional network protections.
It would seem then, that some of that money went into the development and implementation of two-factor authentication. The option was announced this week in a blog post.
“At LinkedIn, we are constantly looking for ways to improve the security of our members’ accounts,” wrote Vicente Silveira. The option to enable two-factor authentication is available now, and centers on sending a randomly generated code via SMS to the user’s phone. Instructions for enabling it can be found here.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
