Yesterday we learned Gawker was hacked. I got this message today ...
We have recently disabled your account for security reasons. To reset your password, follow these quick steps:
....
The LinkedIn Team
My LinkedIn password was not the same as the disposable Gawker password. It wasn't an ultra secure 64 character random string, but it was a 5th percentile good quality password, one of my class III credentials. It wouldn't fall to a standard attack.
So was LinkedIn hacked? Is this a false alarm? Are they being extra cautious after the Gawker hack?
There's another possibility. Since my Gmail account was hacked I don't enter my Google credentials on untrusted machines. Practically speaking, that means only OS X machines I control. Since that day I divide my credentials into five classes.
- I: You want it? Take it.
- II: I'd rather you didn't.
- III: Help!! Help!!
- IV: I'll fight you for it.
- V: Kreegah bundolo! Kill!!
Category IV and V credentials are only used on trusted machines. Category I is used everywhere. Category II and III I'll use on my work machine -- an XP box with corporate class antiviral software. In other words, a vulnerable machine.
The fourth possibility is that one of my Category III credentials has fallen to a keystroke logger on my corporate laptop.
Yech.
I've reset my LinkedIn password (and reviewed the list of reset emails), and, on reflection, I've moved those credentials into "Class IV". So I won't use those credentials on an untrusted machine.
What's next?
See also (my stuff):
- The Gawker hack - and two factor authentication (yesterday)
- Trust and credential management: MyOpenID (In the world of keystroke logging typical OpenID/OAuth use is fatally flawed.)
- Google's two factor authentication and why you need four OpenID accounts
- Google hack lessons - where the geek risks are
- After the Google Hack: Life in the transparent society
- My Google (gmail) account is hacked - by ductus.com
Update 12/14/10: LinkedIn wasn't hacked, unless you consider that they've hacked themselves. They'd matched every email address posted by the Gawker hackers, and reset the passwords associated with them. They explain that today (emphases mine) ...
We recently sent you a message stating that your LinkedIn password had been disabled for security reasons. (Note: If you have more than one email registered with us, you will receive more than one password reset message. You only need to act on one of them.)
This was in response to a security breach on a different site, Gawker.com, where a number of usernames and passwords were exposed. We want to make sure those leaked emails and passwords were not being used to attack any LinkedIn members.
There is no indication that your LinkedIn account has been affected, but since it shares an email with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password ...
They would have done better to explain that yesterday. What a screw up.