LinkedIn sheds light on security breach

LinkedIn has finished disabling all accounts affected by a massive password breach last week, stating this weekend that it did not believe that other members were at risk.

The professional networking site promised to beef up security after more than 6 million customer passwords turned up on underground sites frequented by criminal hackers.

The break-in was one of a series of high-profile internet breaches around the world. British music website Last.fm and dating site eHarmony were also compromised last week.

Cyber-security experts warned that LinkedIn breach -- with more than 160 million members -- could uncover further data losses over the coming days as it tries to figure out what happened.

In a blog post on Saturday, LinkedIn said it had notified all affected users - whose accounts had not been accessed - and added it did not think other users had been compromised.

"Thus far, we have no reports of member accounts being breached as a result of the stolen passwords. Based on our investigation, all member passwords that we believe to be at risk have been disabled," it said.

"If your password has not been disabled, based on our investigation, we do not believe your account is at risk."

LinkedIn is a natural target for data thieves because the site stores valuable information about millions of professionals, including well-known business leaders.

It has hired outside forensics experts to assist as company engineers and the FBI seek to get to the bottom of the break-in. The company said on Friday it did not know if any other account information was stolen besides passwords.

But customers whose passwords were among those stolen were still getting notified by LinkedIn as of Friday afternoon, days after news of the breach surfaced.

The way the company responds to the theft will play a critical role in determining the extent to which the incident damages LinkedIn's reputation, experts said.

The breach has not appeared to hurt LinkedIn shares, which rose 2.6 percent to $US96.26 on Friday, but investors are likely watching the matter closely because the stock carries one of the loftiest valuations in technology.

Scrutinising practices

Some security experts say the company's data security practices were not as sophisticated as one would typically expect from a major internet company.

For example, they noted that LinkedIn does not have a chief information officer or chief information security officer.

Those are positions that typically supervise technology operations and computer security at large corporations.

Company spokeswoman Erin O'Hara said the company did not have managers with those titles, but that its senior vice president for operations, David Henke, oversees LinkedIn's security team.

Several experts said the company fell down in the way it encrypted, or scrambled, the passwords that were stored in the database.

Jeffrey Carr of Taia Global said LinkedIn did not follow an industry standard for encryption, which requires use of a technique known as "salting" that greatly increases the amount of time and computer power needed to crack an encrypted password.

There could be legal repercussions for that failure to comply with industry standards, said Gerald Ferguson, an attorney at Baker Hostetler who is an expert on privacy and intellectual property law.

He said that LinkedIn could face lawsuits if accounts had been breached since its terms of use say it employs the industry standard for security.

"If they can demonstrate that information hadn't been comprised, that would certainly give them a defense," Ferguson said.

Company representatives declined to respond to the criticism of their techniques for protecting passwords or any potential legal implications.

Their user statement spells out the steps it will take to protect customer data and the risks customers face.

"Personal information you provide will be secured in accordance with industry standards and technology," according to the privacy policy on linkedin.com.

"Since the Internet is not a 100 percent secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn," it cautions.

"There is no guarantee that information may not be accessed, copied, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards."

(Reporting by Edwin Chan, Jim Finkle, Jennifer Saba and Basil Katz; Editing by Peter Cooney, Richard Chang and Robert Birsel)