Last week, LinkedIn, a site where professionals network with each other, sent some users this less-than-urgent email:
However, at the same time, LinkedIn’s chief technology officer posted this more dire warning on the company’s official blog:
*MOUSE PRINT:
In 2012, LinkedIn was the victim of an unauthorized access and disclosure of some members’ passwords. At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure. Additionally, we advised all members of LinkedIn to change their passwords as a matter of best practice.
Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.
…
UPDATE: May 18, 5:30 p.m. PT
We’re moving swiftly to address the release of additional data from a 2012 breach, specifically:
We have begun to invalidate passwords for all accounts created prior to the 2012 breach​ that haven’t update​d​ their password since that breach. We will be letting individual members know​ ​if they need to reset their password.
So he’s saying that maybe over 100 million emails addresses and passwords (actually 117 million according to news reports) were stolen previously and are now for sale, and not just the 6.5 million originally believed.
It seems that their casual email to members seriously underplays the seriousness of the situation. And as we’ve said before, the worst mouse print is the disclosure that is not made.
UPDATE MAY 25:
LinkedIn just sent a “Notice of Data Breach” to registrants outlining in more detail what happened. (They must have read Mouse Print* this week.
There is a belief among some behavioral scientists that consumers are categorically more likely to react to a friendly and soft reminder like the LinkedIn message as compared to the harsh ‘SECURITY ALERT’ emails that banks often use. Also, the harsh email approach has been picked up as a common phishing method, which might make them over time less likely to respond.
If I composed this email to customers who may have had their account info hacked, I would have phrased the email very similar to the above but also included a line reading something similar to ‘Why are we sending you this email?’ that included either in the email or via link a plain-language explanation of the issue.
I think I would have done the same thing as LinkedIn. Most consumers are foolish and would quickly panic if LinkedIn gave too much detail in a general email. In reality, most of those people would receive spam emails because of the leak and not much more.
As Mark Davis suggested above, a more detailed supplemental post should have been provided for people who are more likely to be informed on internet security matters.
I’m confused as to why this is a problem? Do people post ‘sensitive’ information on LinkIn? I thought it was a place to post your ‘work & education’ credentials. Unless someone hacks in to change another persons info, what is everybody worried about?
Edgar replies: Gert, the problem is (at least) two-fold. Many people use the same password on more than one site. So if I got your password from LinkedIn, it might work on Amazon, or with your debit card if it got stolen. The other problem is one of impersonation. If I got into your account, I could pretend to be you, and send email to your colleagues. One of the big scams going on now is someone pretends to be the boss at work, and directs subordinates to send money to someone or to pay a fraudulent bill. Presumably also, the crook could change the information in your profile and make you look like an idiot.