Yesterday, a Russian hacker claimed he was able to hack professional networking site LinkedIn®. And he posted 6.5 million passwords online to prove it.
According to Mashable, the passwords were protected with SHA-1 encryption, which was designed by the United States National Security Agency.
The vulnerability appears to be in how the passwords were stored and whether the passwords were basic words. Accounts protected by simple dictionary passwords such as “apple” or “orange” were probably among those compromised through simple trial-by-error.
LinkedIn was quick to inform users of the break-in and advise them on how to reset their passwords.
But ill-gotten LinkedIn passwords might also be used to access other accounts and even more personal information elsewhere. After all, it’s common practice to use the same user name and password to log into various sites and services across the Web. If hackers get your password to one site, it could be enough to bring down your entire house of cards.
So what can you do to protect your accounts?
- If you have a LinkedIn account, change your password immediately.
- Don’t use a simple password that could be found in the dictionary. Alternate letters, numbers, upper case, lower case—whatever the particular password parameters allow. Check out this list of some of the most commonly used (and therefore inherently weak) passwords.
- Create and maintain a handwritten document of online accounts and passwords. Put it in a safe. Do not store this on your computer and do not use the same password more than once.
- Don’t respond to or act on any emails that appear to come from LinkedIn if the emails include links. This is a common phishing ploy, and LinkedIn said it will not include any links in any emails regarding this matter.
- If you subscribe to online services, such as LinkedIn’s or another site’s premium services, put aside a credit card just for online purchases so that once it’s compromised, you can alert just the one credit card company of the breach. Do not use an ATM card for such purchases as you may lose access to cash anywhere from a few hours to a few days.
- Consider creating Google alerts for any service that maintains your personal data. An alert for “LinkedIn” + “hack” could have alerted you about the recent intrusion and allowed you to quickly act.
- When a security attack occurs, look for information about the attack either from the company that’s been hit or credible news sources such as CNET, Mashable or the Guardian.
- Consider placing a security freeze on your credit report to prevent fraudulent accounts being opened in your name.
Remember, hackers can attack any site, big and small. LinkedIn is not the first well-known site or network to be compromised. Do not let any site or solution draw you into a false sense of security. You are your own last line of defense, so be sure to educate yourself on the dangers that exist online and how certain user behaviors can play into those dangers.