LinkedIn has brought the encryption applied to all user passwords up to a more secure standard after last week’s hugely embarrassing password hack, the company has announced.
This will count as a small consolation for anyone affected by the loss of 6.5 million passwords secured in an ‘unsalted’ state using the less secure 160 bit SHA-1 encryption algorithm.
The company said that after discovering the hack on the morning of 6 June, it had disabled published passwords it believed were at risk of exposure by the end of play on 7 June. None of the emails involved included email logins, the company claimed.
“After we disabled the passwords, we contacted members with instructions on how to reset their passwords,” LinkedIn said. “At this time, there have been no reports of compromised LinkedIn accounts as a result of this password theft.”
Importantly, the company said it had now completed an upgrade of the security applied to all accounts whether part of the hack or not which added the use of salted hashes.
Precisely what new security was now being employed – specifically whether 256-bit SHA-2 was part of the upgrade – the company’s announcement is oddly evasive.
“For security reasons, we cannot discuss certain details of our ongoing security upgrades,” it said.
The firm’s small army of security critics might point out that detailing the security standards employed should not render a company vulnerable and indeed most vendors with public membership usually state the encryption standards used as a deterrent.
As to who hacked LinkedIn, how the hack was carried out, and with what real-world effects on member security, the LinkedIn note does not elaborate.
“At this time, LinkedIn cannot release any further information in order to protect our members and due to the ongoing investigation,” the company said.
According to message filtering vendor Cloudmark, an ironic effect of the hack appears to have been that some LinkedIn users discarded legitimate warnings sent by the firm after the attack because they thought they might be criminal spam.
“Over four percent of the people receiving this [warning] email, thought it was spam and sent it straight to the bit bucket. If Linkedin sends out 6.5 million emails, then a quarter of a million people are congratulating themselves on avoiding spam, and still have a compromised Linkedin password,” said Cloudmark’s Andrew Conway.
LinkedIn did say it had disabled all passwords believed to be at risk although again how many of the 6.5 million leaked were deemed worthy of this attention is not clear.
In Conway's view, part of the problem was that LinkedIn automatically opted users into receive email related to their activity and interests, resulting in some users marking the company’s emails as spam simply to stem the tide of unwanted communication.
“Linkedin is like the little boy who cried, ‘wolf.’ By sending too much mail that people are not really interested in, they are getting ignored when they have something important to say,” said Conway