On Monday December 13th, LinkedIn.com sent an email message informing me that my LinkedIn account had been disabled:
"In order to ensure that you continue to have the best experience using LinkedIn, we are constantly monitoring our site to make sure your account information is safe. We have recently disabled your account for security reasons."
I like LinkedIn as I use it heavily for business networking and job leads. However, this email didn't provide any details about the event that triggered the security action. It advised me to reset my password, which I did successfully. I would have preferred a more detailed explanation.
On Wednesday morning December 15th, LinkedIn sent a follow-up email message:
"We recently sent you a message stating that your LinkedIn password had been disabled for security reasons. (Note: If you have more than one email registered with us, you will receive more than one password reset message. You only need to act on one of them.)
This was in response to a security breach on a different site, Gawker.com, where a number of usernames and passwords were exposed. We want to make sure those leaked emails and passwords were not being used to attack any LinkedIn members.
There is no indication that your LinkedIn account has been affected, but since it shares an email with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password."
Earlier in the week, I had briefly read about the Gawker breach, but didn't think too much about it. Then, the ZDNet U.K. website reported about the LinkedIn event. Apparently, about 1.3 million email addresses and passwords were exposed or stolen during the Gawker breach. NPR reported one consequence: identity theives used the stolen email address and passwords to hack into Twitter accounts to send out spam. I then used the Slate widget to check if I was a breach victim. I was.
The Gawker breach highlights the interconnected risks when using social networking sites:
- A breach at one social networking site can place all of your personal information at risk if you use the same sign-in credentials (e.g., email address and password) to submit comments at multiple social networking sites.
- A breach at one social networking site can place your banking and financial information at risk if you use the same sign-in credentials at both social networking sites and banking, financial, and shopping sites.
- A breach at one social networking site can place your email account(s) and contacts' information at risk if you use the same sign-in credentials at social networking sites and at your email provider(s).
Thankfully, I use different sign-in credentials across #1, #2, and #3. Yet, the risks from #1 can multiply quickly if you have set up automated posting at multiple social networking sites. If you are like most people, you don't remember all of the websites you have signed in to post comments at. I know that I don't remember all of the websites I have posted comments at.
It was good, proactive customer service by LinkedIn to disable my account and then explain the reason why. Youtube.com also sent a notification via email. I didn't receive any notification from Gawker. Not good. Unfortunately, Gawker's notification was trapped in my spam folder. Once I located the email, I was able to quickly access the Gawker breach FAQ page. The Gawker breach also highlights the need for consumers to practice good data security habits:
- Don't use the same sign-in credentials everywhere online,
- Use strong passwords,
- Don't use any of these weak passwords,
- Consider a software tool to manage your online sign-in credentials, and
- Update your passwords every 90 days.
Do you practice good data security habits? Does your employer? Did you read and act on the email from LinkedIn?