Skip to main content

The Globe and Mail

After hack, LinkedIn brings encryption up to industry standard

In this May 9, 2011 file photo, LinkedIn Corp., the professional networking Web site, displays its logo outside of headquarters in Mountain View, Calif. LinkedIn said Wednesday, June 6, 2012, it is investigating reports that more than six million passwords have been stolen and leaked onto the Internet.

Paul Sakuma/AP

Social networking website LinkedIn Corp said it will provide an additional layer of online security to its members following last week's data breach, while adding that stolen passwords were not published with corresponding email logins.

Some cyber security experts had earlier said LinkedIn did not have adequate protections in place, and warned that the company could uncover further data-losses over coming days as it tries to find out what happened.

Late on Tuesday, the company said all member passwords were now "salted" -- a technique that greatly increases the time and computer power needed to crack an encrypted password.

Story continues below advertisement

The company, which has more than 160 million members on its site, said there had been no reports of accounts compromised by password theft.

Some security experts say the company's data security practices were not as sophisticated as one would typically expect from a major Internet company.

For example, they noted that LinkedIn does not have a chief information officer or chief information security officer.

Those are positions that typically supervise technology operations and computer security at large corporations.

Company spokeswoman Erin O'Hara said the company did not have managers with those titles, but that its senior vice president for operations, David Henke, oversees LinkedIn's security team.

LinkedIn has hired outside forensics experts to assist as company engineers and the FBI seek to determine how more than 6 million customer passwords turned up on underground sites frequented by criminal hackers.

Several experts said the company fell down in the way it encrypted, or scrambled, the passwords that were stored in the database.

Story continues below advertisement

Jeffrey Carr, chief executive of security firm Taia Global, said LinkedIn did not follow an industry standard for encryption.

There could be legal repercussions for that failure to comply with industry standards, said Gerald Ferguson, an attorney at Baker Hostetler who is an expert on privacy and intellectual property law.

He said that LinkedIn could face lawsuits if accounts had been breached since its terms of use say it employs the industry standard for security.

"If they can demonstrate that information hadn't been comprised, that would certainly give them a defense," Mr. Ferguson said.

Report an error Licensing Options
Comments

The Globe invites you to share your views. Please stay on topic and be respectful to everyone. For more information on our commenting policies and how our community-based moderation works, please read our Community Guidelines and our Terms and Conditions.

We’ve made some technical updates to our commenting software. If you are experiencing any issues posting comments, simply log out and log back in.

Discussion loading… ✨

Combined Shape Created with Sketch.

Globe Newsletters

Get a summary of news of the day

Combined Shape Created with Sketch.

Thank you!

You are now subscribed to the newsletter at

You can unsubscribe from this newsletter or Globe promotions at any time by clicking the link at the bottom of the newsletter, or by emailing us at privacy@globeandmail.com.