It's been a bad week for LinkedIn, the social network for professionals. First, we learned that its iOS app was copying entire meeting notes from its calendar section and transmitting the information back to LinkedIn. Then news dropped on the LinkedIn hack. The company later admitted that millions of its user accounts were breached via password-hacking programs.
First and foremost: Before you read any further, change your LinkedIn password if you haven't already. Here's how to do it: Under your name in the upper right-hand corner, click "Settings," then click the "Accounts" tab. Select "Change Password" and enter your existing password. Then choose a new password that follows best security practices -- one with a combination of letters, numbers and symbols to make it less susceptible to password-hacking programs.
Less than a day after the attack, the phishing started, with copycat LinkedIn emails trying to lure unsuspecting users to download malware. CIOs may consider drafting an email to their own corporate social media users, advising them not to click on such emails from LinkedIn and, naturally, to change their passwords. Of course, it may already be too late. Nothing drives people to action like fear, and well-meaning employees might have gotten the phishing email and already triggered a malware deployment to their own machines. Time for an unscheduled full-system sweep and virus check.
Events like the LinkedIn hack are every CIOs nightmare -- it's that late night phone call that everyone dreads. It happened to LinkedIn this time, but it could happen to your organization next time. Sophisticated password-hacking programs are making it easier for savvy hackers to gain access and, sadly, users are still using passwords like 12345. On a system with a million users, hackers can break into thousands of accounts in a matter of minutes just by repeatedly trying variations of the most common passwords.
Following the hack, LinkedIn quickly put in place some updated security measures, like hashing and salting, which make password detection much less likely through password-hacking programs. The company still insists that its mobile app -- the one that grabs your meeting notes and sends them to LinkedIn -- is a feature instead of a data privacy violation. Thankfully, and unlike a password, it's a feature you can turn off -- or avoid completely.