back to article LinkedIn's training arm resets 55,000 members' passwords, warns 9.5m, the training arm of LinkedIn, on Saturday issued email notices to about 55,000 members whose data it says has been perused by an “unauthorized third party.” The letter sent to members, two of whom thoughtfully forwarded it to El Reg, reads as follows: We recently became aware that an unauthorized third party …

  1. Magani

    Corrections and Clarifications Column

    Our earlier statement:-

    We are informing you of this issue out of an abundance of caution.

    should have read:-

    We are informing you of this issue out of a desire to not be sued.

  2. Chris Tierney

    Cyber security courses

    They have some good cyber security courses available.

    1. ecofeco Silver badge

      Re: Cyber security courses

      *snerk* I see what you did there.

  3. Your alien overlord - fear me

    I heard

    it was Santa, checking out who'd finished their courses and who hadn't

  4. Ken Moorhouse Silver badge

    Resetting Passwords: universal panacea?

    Not a good thing to rely upon.

    Suppose the database had been successfully hacked. The integrity of the email addresses to send those reset emails to is questionable. And if you are relying on recovery questions then those can be hacked too - I've seen this before, particularly with Yahoo, as soon as the address is hacked/changed, the hackers will change the recovery questions too.

    Ahh, I hear you say, if you timestamp the changes then malicious changes can be detected, assuming the audit trail hasn't been hacked too. Comparing with a known clean off-line backup might be possible, but the design of systems probably won't maintain relational integrity with off-line backups, which means that if the hackers manage to cascade change primary keys then changes made since that clean backup are worthless.

    1. Anonymous Coward
      Anonymous Coward

      Re: Resetting Passwords: universal panacea?

      And timestamps or hashes will be trusted because of... ? I wouldn't trust shit.

      In the end I think sites like linkedin, facebook, or whatever are going to have to come up with a export account feature that literally exports the users entire account to a completely unrelated offsite location given by the user for the users own audit of validation. Does that sound old school and not future hipster tech enough? Maybe, but give me my 'account.tar.gz' and I'll validate it, then I'll upload it as a known good source for the account. Or I won't, because it's a backup after the hack and I'm fucked, so I'll have to depend on for revival of my data, but then I'll have to validate that still, so fuck you and

      I don't know, there is a lot of ways to help get past or come back frome security breaches, but none of those ways involve you controlling your own data on these data mining sites that appear to be "social".

  5. Redbaron

    "Please know that we have no evidence that this data included your password"

    So from the sound of that they're stored in plain text then. Nice!

    1. Pascal Monett Silver badge
      Thumb Down

      No evidence that the data included passwords. That, to me, means that they have no evidence of the contrary either.

      How can a company have absolutely no clue as to when a password is read ? Shouldn't that be something that is monitored ? I'm not talking about hashing & salting, or encrypting or whatever else (that should be done as well), I'm just talking about monitoring when the password is accessed.

      Apparently, in the business world, the word "security" is just a collection of letters that the marketing department uses. The rest of the company doesn't have the time to take it into account.

    2. VinceH

      Re: "Please know that we have no evidence that this data included your password"

      "So from the sound of that they're stored in plain text then. Nice"

      That was my initial thought when I read that sentence - but in hindsight it's also possible that whoever wrote it might hold the view that victims users wouldn't understand what 'salted and hashed' means so they're keeping the email simple.

      Yeah, I know, I don't really buy that possibility, either.

  6. ecofeco Silver badge

    Unauthorized 3rd party?

    Could it be one of their advertisers?

    Anyone here use No Script? Have you noticed the list of blocked third party websites is now longer than the screen? Most of them trackers, ads, and typeface servers?

    What could possibly go wrong?

  7. Lotaresco

    We have your data...

    ... and we don't give a toss.

    Should be the motto of each of these companies. I suppose the default assumption for the rest of us should be that any details that we give to social media should be a legend.

  8. Duffaboy

    It's not a problem Linkedin has the solution at its finger tips

    All Linkedin need to do is to make contact with all the thousands and thousands of "Security Specialists" it has on its database, mind you they might be busy doing their Real Jobs ahem.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like