Tuesday, December 14, 2010

Gawker was hacked yesterday. Today LinkedIn?

Yesterday we learned Gawker was hacked. I got this message today ...

We have recently disabled your account for security reasons. To reset your password, follow these quick steps:
....
The LinkedIn Team

My LinkedIn password was not the same as the disposable Gawker password. It wasn't an ultra secure 64 character random string, but it was a 5th percentile good quality password, one of my class III credentials. It wouldn't fall to a standard attack.

So was LinkedIn hacked? Is this a false alarm? Are they being extra cautious after the Gawker hack?

There's another possibility. Since my Gmail account was hacked I don't enter my Google credentials on untrusted machines. Practically speaking, that means only OS X machines I control. Since that day I divide my credentials into five classes.

  • I: You want it? Take it.
  • II: I'd rather you didn't.
  • III: Help!! Help!!
  • IV: I'll fight you for it.
  • V: Kreegah bundolo! Kill!!

Category IV and V credentials are only used on trusted machines. Category I is used everywhere. Category II and III I'll use on my work machine -- an XP box with corporate class antiviral software. In other words, a vulnerable machine.

The fourth possibility is that one of my Category III credentials has fallen to a keystroke logger on my corporate laptop.

Yech.

I've reset my LinkedIn password (and reviewed the list of reset emails), and, on reflection, I've moved those credentials into "Class IV". So I won't use those credentials on an untrusted machine.

What's next?

See also (my stuff):

Update 12/14/10: LinkedIn wasn't hacked, unless you consider that they've hacked themselves. They'd matched every email address posted by the Gawker hackers, and reset the passwords associated with them. They explain that today (emphases mine) ...

We recently sent you a message stating that your LinkedIn password had been disabled for security reasons. (Note: If you have more than one email registered with us, you will receive more than one password reset message. You only need to act on one of them.)

This was in response to a security breach on a different site, Gawker.com, where a number of usernames and passwords were exposed. We want to make sure those leaked emails and passwords were not being used to attack any LinkedIn members.

There is no indication that your LinkedIn account has been affected, but since it shares an email with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password ...

They would have done better to explain that yesterday. What a screw up.

4 comments:

Anonymous said...

I got 2 copies of the LinkedIn account disabled message today. I assumed it was spoofed spam so I tried to login using my credentials to see if the messages were real. Indeed, I could not log in. So I changed my password. When I try to log in with the new credentials I get some message saying there's a problem with my account.

LinkedIn had such potential when it first started. Now it appears to be run by 2 monkeys and a cabbage.

Anonymous said...

I got the same message from LinkedIn and Yahoo! Mail. I also received the hint.io email to my Gmail account. This is very disconcerting, and seem strongly related to the Gawker breach. Goes to show that no matter how secure you keep your important stuff, it's the one-off sign ups with their lax security that will screw you.

davecobb said...

Same here. Got emails that access to my account had been shut down due to suspicious activity; I changed my password, and can log in, but trying to go to my profile results in a 404 error message.

Anonymous said...

So it sounds like either a preemptive measure or LinkedIn was indeed hacked.

A bigger target than Gawker.