{"id":627,"date":"2016-05-25T10:07:40","date_gmt":"2016-05-25T14:07:40","guid":{"rendered":"http:\/\/www.davideriknelson.com\/sbsb\/?p=627"},"modified":"2016-05-25T10:07:40","modified_gmt":"2016-05-25T14:07:40","slug":"i-have-been-pwned-you-probably-have-too-alt-title-god-fucking-dammit-linkedin","status":"publish","type":"post","link":"https:\/\/www.davideriknelson.com\/sbsb\/index.php\/2016\/05\/i-have-been-pwned-you-probably-have-too-alt-title-god-fucking-dammit-linkedin\/","title":{"rendered":"I Have Been Pwned; You Probably Have, Too (Alt Title: “God Fucking Dammit, LinkedIn!!!”)"},"content":{"rendered":"

THE SHORT\u00a0VERSION<\/h2>\n

If you use LinkedIn, then your email and LinkedIn password have probably been compromised.\u00a0 <\/span>If you reuse the same password across several sites, then you are likely a total sitting duck waiting to get exploited.\u00a0 <\/span>Go change passwords NOW!<\/i><\/span><\/strong><\/p>\n

THE LONG VERSION<\/h2>\n

This breach seems to have\u00a0gotten less press than usual, even though it’s liable to have a broader impact on folks, so I want to make sure it’s\u00a0on everyone\u2019s radar: \u00a0<\/span><\/p>\n

An enormous<\/em>\u00a0hack of LinkedIn accounts has surfaced <\/strong>(details<\/a>). \u00a0Crackers\u00a0snagged ~164mil login credentials; since the passwords were stored as a unsalted hashes (i.e.\u00a0\u201cnot securely”), the vast<\/em>\u00a0majority of these passwords were cracked.<\/strong><\/p>\n

I took the liberty of checking a couple friend\/client email addresses while I checked mine (using this tool<\/a>), and found that most of the emails I checked\u00a0were included in the hack (as was I). \u00a0LinkedIn hasn’t proactively informed anyone I’ve contacted about this. So, I\u2019m spreading the word.<\/p>\n

The immediate problem is losing control of your LinkedIn account (which, let’s be real, doesn’t necessarily mean much for most people). \u00a0The bigger problem is that many folks reuse the same password on many sites. \u00a0If the\u00a0email:password you used on LinkedIn is the same as the one you used on Twitter or Facebook or Gmail, then those accounts are now also up for grabs. \u00a0While a LinkedIn account may be of limited value to criminals, a Twitter or Gmail account can be much more useful, and a bank or credit card account\u2014let\u2019s not dwell on it. \u00a0Did you\u00a0start changing passwords yet? \u00a0Go change passwords NOW.<\/strong><\/em><\/span><\/p>\n

THINGS TO DO RIGHT NOW<\/h3>\n
    \n
  1. Go here\u00a0(Yeah, it looks sketchy; it\u2019s legit)\u00a0https:\/\/haveibeenpwned.com\/<\/a><\/span><\/li>\n
  2. Plug in the email address you use to log into LinkedIn (or any email you use to log in to any site; this service tracks many\u00a0data breaches)<\/span><\/li>\n
  3. If you get a green bar, you lucked out. \u00a0If you get a red bar with \u201coh no!\u201d in it, continue to step #4<\/span><\/li>\n
  4. Read whatever details the site offers about the breach(es) you’ve been included in, and change your password(s) immediately.<\/span><\/li>\n
  5. Also<\/em><\/strong> set a new password anywhere else that you used that same password\u00a0<\/span><\/li>\n<\/ol>\n

    EXTRA CREDIT<\/h3>\n

    Passwords are inherently crappy. \u00a0It\u2019s just a fact of life. \u00a0Consider upping your security in two ways:<\/span><\/p>\n

      \n
    1. Set up \u201ctwo-factor authentication\u201d<\/strong> (also called \u201c2FA\u201d) on any account that lets you do so. \u00a0Different sites have different systems (and, alas, call them different things), but they all boil down the same: Once 2FA is set up, logging into your email account (or whatever) will have an extra step. \u00a0First you enter your username and password and hit submit (like normal). \u00a0Then they ding your phone (either with a txt or via app) and wait for your to respond (either by clicking \u201caccept\u201d on the app or entering the six digit code they\u2019ve texted you). If you don\u2019t respond, you can\u2019t get in. \u00a0This makes it impossible for someone to log into your account unless they have your username, password, and your phone. \u00a0Much more secure. \u00a0(I\u2019ve added 2FA to several personal web tools\u00a0I depend on, as I was getting hammered with a brute force attack a couple weeks back.)<\/span><\/li>\n
    2. Please seriously consider using a\u00a0\u201cpassword manager\u201d or \u201cpassword locker.\u201d<\/strong> \u00a0This is a piece of software (or service) that securely stores your usernames and passwords for all of your accounts. \u00a0That way, you don\u2019t have to chose easily remembered passwords for all of your accounts. \u00a0Instead, you choose one very good password for your locker, and then let the locker generate insanely hard passwords for your individual accounts (all of my passwords are now 20+ characters long and randomly generated). \u00a0Lots of folks like LastPass<\/a> and 1Password<\/a>. \u00a0I prefer KeePassX<\/a> and use MiniKeePass<\/a> on my phone (I have lots of nit-picky reasons, but the tl;dr: The software implements good encryption algorythms in a secure way; it’s open source and well vetted; it’s not “cloud based”\u2014”the cloud”<\/em> is just “some other dude’s computer” <\/em>[with all that implies, viz. security risks], and a cloud computer full of the master keys to folks’ online lives strikes me as an attractive nuisance, at best).<\/span><\/li>\n<\/ol>\n

      Sorry to be your bad news bear today; I hope you all get green bars\u00a0and nonetheless CHANGE YOUR PASSWORDS, GET A PASSWORD MANAGER, AND START USING 2FA WHENEVER YOU CAN!!!<\/strong><\/em><\/span><\/p>\n

      \n","protected":false},"excerpt":{"rendered":"

      THE SHORT\u00a0VERSION If you use LinkedIn, then your email and LinkedIn password have probably been compromised.\u00a0 If you reuse the same password across several sites, then you are likely a total sitting duck waiting to get exploited.\u00a0 Go change passwords NOW! THE LONG VERSION This breach seems to have\u00a0gotten less press than usual, even though … Continue reading “I Have Been Pwned; You Probably Have, Too (Alt Title: “God Fucking Dammit, LinkedIn!!!”)”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_share_on_mastodon":"1"},"categories":[11,8],"tags":[38,39,40,41],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/www.davideriknelson.com\/sbsb\/index.php\/wp-json\/wp\/v2\/posts\/627"}],"collection":[{"href":"https:\/\/www.davideriknelson.com\/sbsb\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.davideriknelson.com\/sbsb\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.davideriknelson.com\/sbsb\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.davideriknelson.com\/sbsb\/index.php\/wp-json\/wp\/v2\/comments?post=627"}],"version-history":[{"count":7,"href":"https:\/\/www.davideriknelson.com\/sbsb\/index.php\/wp-json\/wp\/v2\/posts\/627\/revisions"}],"predecessor-version":[{"id":634,"href":"https:\/\/www.davideriknelson.com\/sbsb\/index.php\/wp-json\/wp\/v2\/posts\/627\/revisions\/634"}],"wp:attachment":[{"href":"https:\/\/www.davideriknelson.com\/sbsb\/index.php\/wp-json\/wp\/v2\/media?parent=627"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.davideriknelson.com\/sbsb\/index.php\/wp-json\/wp\/v2\/categories?post=627"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.davideriknelson.com\/sbsb\/index.php\/wp-json\/wp\/v2\/tags?post=627"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}