One year ago this month, 6.5 million passwords were taken from LinkedIn. Last week, the company proved they are still fine-tuning their security posture by introducing two-factor authentication to the mix.
It was the story of the summer in 2012. LinkedIn, 24-hours after the story broke, confirmed that a list of 6.5 million passwords uploaded to a Russian forum came from their site. Given LinkedIn’s connection to the business world online, such a security incident had a wide reach. LinkedIn never commented on the results of their internal investigation into the incident, but it remains one of the largest breaches on record for the year.
What was confirmed however is that the stolen passwords were stored without salt, an extra measure of password protection when combined with a hashing algorithm (LinkedIn used SHA-1). The lack of salt allowed the members of the Russian forum to crack all 6.5 million passwords in less than two weeks.
Part of the recovery included password changes, which would introduce new protections including “hashing and salting of our current password databases,” LinkedIn noted in a statement at the time.
Later it was disclosed in their Q2 2012 financials that the breach cost LinkedIn upwards of $1,000,000, most of which was used for forensics work and other incident response measures. The company’s CFO, Steve Sordello said that an additional $2-3 million would be spent on additional network protections.
It would seem then, that some of that money went into the development and implementation of two-factor authentication. The option was announced this week in a blog post.
“At LinkedIn, we are constantly looking for ways to improve the security of our members’ accounts,” wrote Vicente Silveira. The option to enable two-factor authentication is available now, and centers on sending a randomly generated code via SMS to the user’s phone. Instructions for enabling it can be found here.