LinkedIn responds to security breach, outlines next steps

Updated at 13.01 PST: LinkedIn just posted an update on their blog:

We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts … continue reading on their blog>

Security experts say that you should change your passwords anyway.

“Users should take this warning seriously and change their passwords for LinkedIn as well as any other accounts that may be using the same password,” said Mike Geide, senior security researcher at Zscaler ThreatLabZ “Users should take this as another reminder to use non-dictionary, complex passwords and have different ones for various accounts. As history has shown, there will inevitably be breaches such as this. Social media has the added complexity of a breach of trust.  A hacked password to LinkedIn does not just give access to an account, but the trust of an entire social network. Facebook has a problem around social identity theft and it’s not a surprise this now reached LinkedIn.”

Original story: By now you must have read somewhere on the web that if you used LinkedIn’s (s LNKD) iOS app, it was sending details from your calendar to the LinkedIn servers in plain-text, resulting in a data breach that compromised millions of passwords. A rookie mistake, security experts would say. A mistake that gets headlines like “6.5 million passwords leaked.” As if the breach wasn’t enough of a shock, many, including me, are wondering about the company’s response.
The  Norweigan IT website Dagens IT reported that 6.5 million passwords were posted to a Russian hacker website. The Next Web, which has been on top of this story, writes:

Security researcher Per Thorsheim has also confirmed reports via his Twitter feed, stating that the attackers have posted the encrypted passwords to request help cracking them. Finnish security firm CERT-FI is warningthat whilst user details have not been posted, it is believed that the attackers will have access to user data as well as their passwords.

Typically if the data breach of such magnitude were to happen, a company would try and assuage fears and calm down those who are being impacted. Its official response on its blog was nothing more than a proverbial shrug.I said as much on my Facebook account.
In my opinion – and it is just that, one man’s opinion – when data breaches like this happen companies should be overtly cautious and get in touch with their users and get them to change their passwords. The company sent a Twitter update, but in reality it should have been sending its customers emails right away.
One of the commenters on my Facebook post pointed out the stark difference between the (eventual) responses of Path and Airbnb, both of which had problems with breaches. He also pointed out that public companies rarely admit their follies.
Jordan Staniscia in a blog post writes:

Most companies with stockholders have this odd way of not admitting their mistakes. If you had to bet, always bet on endless legal battles rather than honesty in public companies. For startups this is not a concern — they apologize anytime something goes wrong.
Path was found to be uploading their users’ entire address books without so much as telling them only a few months ago. They apologized, corrected their mistake, and everyone moved on. People still want to use Path. So its obvious that now that Facebook has shareholders they will not admit they did anything wrong this past week. Even though pre-IPO Facebook did admit mistakes, post-IPO Facebook can not.
It comes off to me that the stock market can’t handle mistakes. Its not that companies don’t make them, lately it seems to be the opposite, you just can’t call them mistakes. Otherwise, you fear a stock plummet.

LinkedIn stock is trading at $92 a share, down less than a percent for the day.
Photo courtesy of Shutterstock user [holbox].