{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.

No_results

That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.

Logo_distressed

Sorry about this, there is a problem with our search at the moment.
Please try again later.

While Facebook's stock languishes, shares of the world's most popular social network for professionals, LinkedIn, have been treated far more kindly. With a forward price-to-earnings ratio of approximately 75, investors are betting that LinkedIn's future is bright.

But the company may be in for a rough patch as word broke today that some 6.5m passwords have been stolen from the social network.

The good news: the passwords are hashed, meaning that hackers can't actually log into compromised accounts. The bad news: the passwords are unsalted, meaning those in possession of the hashed passwords will likely have a far easier time cracking them.

According to Graham Cluley, a senior technology consultant at security vendor Sophos, the compromised passwords are apparently hashed using the SHA-1 algorithm, which researchers have shown to be subject to attack. If hackers are able to crack the passwords and they have the associated email addresses -- something that Cluley suggests is reasonable to assume -- LinkedIn could have a real problem on its hands.

The timing couldn't be worse for LinkedIn. Yesterday, two security researchers announced that LinkedIn's iOS application is sending calendar entries for the users of the app to its servers in plaintext. They explained:

LinkedIn’s mobile application has an interesting feature that allows users to view their iOS calendars within the app. However, it turns out that LinkedIn have decided to send detailed calendar entries of users to their servers. The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes. If you have decided to opt-in to this calendar feature in iPhone, LinkedIn will automatically receive your calendar entries and will continue doing so every-time you open your LinkedIn app.

The researchers, Adi Sharabania and Yair Amit, suggest that LinkedIn technically doesn't need to submit all of this data to its servers to provide calendar synchronization functionality, and point out that in any case, LinkedIn's approach may run afoul of Apple's privacy guidelines, which forbid apps from transmitting user data without the user's permission.

Both the app issue and the apparent password compromise highlight a disturbing fact: even the biggest and best web companies are still making huge mistakes that have significant security implications for their users. In the case of the iOS app, LinkedIn may not have been acting with poor intent (a la, perhaps, Path), but that doesn't mean that its poor approach didn't put users at risk. And in the case of the password breach, the fact that LinkedIn didn't follow a long-established best practice (salting passwords) is quite surprising.

Both flaws serve as a strong reminder to users of online services: you should trust that the companies you engage with want to do the right things, but you can never assume that they're actually doing the right things.

Patricio Robles

Published 6 June, 2012 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2377 more posts from this author

Comments (3)

Avatar-blank-50x50

Ross

This is scary stuff. Linkedin should address this right away. Im a linkedin user and i never thought this could happen.

about 4 years ago

Ivor Morgan

Ivor Morgan, Personal

I'm shocked that I have had no communication from LinkedIn regarding this - even 2-days after news broke.
There isn't even a pop-up warning on the home page.
No way to treat user security LinkedIn!

about 4 years ago

Avatar-blank-50x50

Andrew

With the P to E ratio at 75, I think LinkedIn is a safer investment because it is built around professionalism whereas Facebook is now becoming a Myspace type social network.

Linkedin is always gaining popularity and is more useful than Facebook in my opinion.

almost 4 years ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.