During May 2016 LinkedIn became aware that user account data from their website was made available to download on various websites across the internet. This data according to LinkedIn was originally stolen in 2012 and assured us that “This was not a new security breach or hack”. However, for many customers who received LinkedIn’s email about the data breach it worried many businesses, leading us to ask is your LinkedIn account really safe?
What data was stolen in the LinkedIn data breach?
According to LinkedIn the following information was stolen in the data breach during 2012 and made available online:
- LinkedIn Email Addresses
- LinkedIn Hashed Passwords
- LinkedIn Member IDs (an internal identifier LinkedIn assigns to each member profile)
This is very concerning that LinkedIn are still having to alert users to a data breach in 2012. Obviously some of these accounts have been affected already since LinkedIn have admitted that they have “invalidated passwords of all LinkedIn accounts created prior to the 2012 breach that had not reset their passwords since that breach”. While this sounds reassuring it’s less comforting if you consider how many of the affected users probably still use the same password for other website accounts, leading them to be compromised.
What can you do to protect your account on LinkedIn?
We’d suggest updating your LinkedIn password to be at least 16 alphanumeric characters long, preferably unique and include special characters such as %, ^, *. Making your password unique for LinkedIn will help to limit the damage to any other website accounts you have on the internet. Yes, this can be a headache to manage different passwords but in this day and age with so many website’s being compromised by hackers it’s really something you can’t avoid doing, unless you want your data compromised. These days browsers can store passwords for your websites and we’d even recommend purchasing a password manager system for all of your devices.
Using password managers – the best option to secure your online identity
Here at Design for Digital we encourage all of our clients to use a password manager system. These systems allow you to store all of your online account details (even bank accounts) securely using a high-level of encryption. Therefore, you only need one password to control your entire password management system and you simply copy and paste (or autofill) your website’s login details to the browser without having to remember each website’s password. Password managers also warn you when to change your passwords after set periods of time and even automatically suggest strong un-guessable passwords for you to use. Our personal favourite password manager system is 1password and even syncs with your phone so that you can login simply with a few taps on your phone, as well as have a backup on a separate device.
The golden rules of online security
Never share your password via email, especially if it’s not via an https (using SSL – secure sockets layer) connection. These emails can be intercepted online quite easily. If you must share a password, either encrypt a document with the login details and zip it up with password protection at a high 256 AES encryption, or the alternative but less secure option is to text the password to the person’s mobile phone and send them the username via email.
Always ensure that your employees using online networks for business use update their password every couple of months at least. Use strong passwords with plenty of special characters if possible.
Make sure that your user account email address is up-to-date. What if you forget your password and you don’t have access to the old email address for a password reminder? It can be difficult to resolve lost account access so ensure if your email address changes you update all online profiles immediately.
More and more online accounts such as Google and Microsoft now provide 2 step verification. This allows you to register a mobile phone number with your account or you can download an app for your phone to send you a unique code to enter when logging in to double-check that you really are authorised to access the account. Therefore if your account is breached and the website thinks it’s suspicious they will be locked-out of the account. And don’t worry that you’ll have to do this every time you login, most websites will recognise your computer IP and cookie data meaning you’ll only have to verify your account every 30 days.
Keep your antivirus and phishing software up-to-date so that you’re not duped into visiting an unofficial website and having your account login details compromised. Never click on a suspicious email link asking you to login to your account – if you do need to access your account ignore these links in emails and login as normal via your browser typing in the correct domain to ensure you’re account remains secure.
We hope that these tips and information is of help. Please remember if you’d like us to assess your website for any security issues or simply need help redesigning and updating your website please contact us.