How LinkedIn Handled The Password Crisis
Firstly, if you haven’t changed your LinkedIn password recently you might want to do that now (hover over your name in the top right-hand corner of your LinkedIn profile and click Settings).
Last week, reports surfaced that 6.5 million LinkedIn passwords were posted to the Web by an unknown essailant (unlike an assailant, essailants attack in the electronic realm — yes, I just made that up). LinkedIn was understandably cautious in its response.
Initial tweets from the official LinkedIn Twitter account simply stated that the company was looking into the reports, followed by a blog post on how to change your LinkedIn password and other security best practices. Note that there were approximately two hours between the first and second statement, and another three hours before the blog post was published.
About half an hour later the company posted another update, this time confirming the breach and stating the steps it would take to rectify the situation. Basically, if LinkedIn deems that your password was one of those posted online they will send you an email instructing you how to change your password.
Note that the company states users should not change their password by clicking on a link in an email. About an hour earlier I received what appears to be a phishing attempt on my LinkedIn account.
I understand the need for LinkedIn to minimize the damage to its brand, but I have to wonder if a blanket email to all users would have been the best way to handle this crisis. The email could not only inform users of the situation but also also provide instructions for resetting passwords while warning of phishing attacks. There will undoubtedly be many users that aren’t affected by the initial breach that fall for the subsequent phishing attack.
Update: The following day, LinkedIn posted another blog entry that provides members with more details on the breach and the steps it is taking to shore up its defenses. What's noteworthy is the opening paragraph, where the company reiterates its commitment to its members and apologizes for the inconvenience:
"It is of the utmost importance to us that we keep you, our members, informed regarding the news this week that some LinkedIn member passwords were compromised. We want to reiterate that we sincerely apologize for the inconvenience this has caused our members."
LinkedIn is now clearly winding down its crisis response, posting only one blog entry since June 7. But as one of our editorial advisory board members noted, the crisis is not over for LinkedIn -- the company will be judged over the coming weeks based on whether it learns from this experience and uses it as an opportunity to make real improvements to security and related processes.