Corrections and Clarifications Column
Our earlier statement:-
We are informing you of this issue out of an abundance of caution.
should have read:-
We are informing you of this issue out of a desire to not be sued.
Lynda.com, the training arm of LinkedIn, on Saturday issued email notices to about 55,000 members whose data it says has been perused by an “unauthorized third party.” The letter sent to members, two of whom thoughtfully forwarded it to El Reg, reads as follows: We recently became aware that an unauthorized third party …
Not a good thing to rely upon.
Suppose the database had been successfully hacked. The integrity of the email addresses to send those reset emails to is questionable. And if you are relying on recovery questions then those can be hacked too - I've seen this before, particularly with Yahoo, as soon as the address is hacked/changed, the hackers will change the recovery questions too.
Ahh, I hear you say, if you timestamp the changes then malicious changes can be detected, assuming the audit trail hasn't been hacked too. Comparing with a known clean off-line backup might be possible, but the design of systems probably won't maintain relational integrity with off-line backups, which means that if the hackers manage to cascade change primary keys then changes made since that clean backup are worthless.
And timestamps or hashes will be trusted because of... ? I wouldn't trust shit.
In the end I think sites like linkedin, facebook, or whatever are going to have to come up with a export account feature that literally exports the users entire account to a completely unrelated offsite location given by the user for the users own audit of validation. Does that sound old school and not future hipster tech enough? Maybe, but give me my 'account.tar.gz' and I'll validate it, then I'll upload it as a known good source for the account. Or I won't, because it's a backup after the hack and I'm fucked, so I'll have to depend on yoursite.com for revival of my data, but then I'll have to validate that still, so fuck you and yoursite.com.
I don't know, there is a lot of ways to help get past or come back frome security breaches, but none of those ways involve you controlling your own data on these data mining sites that appear to be "social".
No evidence that the data included passwords. That, to me, means that they have no evidence of the contrary either.
How can a company have absolutely no clue as to when a password is read ? Shouldn't that be something that is monitored ? I'm not talking about hashing & salting, or encrypting or whatever else (that should be done as well), I'm just talking about monitoring when the password is accessed.
Apparently, in the business world, the word "security" is just a collection of letters that the marketing department uses. The rest of the company doesn't have the time to take it into account.
"So from the sound of that they're stored in plain text then. Nice"
That was my initial thought when I read that sentence - but in hindsight it's also possible that whoever wrote it might hold the view that victims users wouldn't understand what 'salted and hashed' means so they're keeping the email simple.
Yeah, I know, I don't really buy that possibility, either.