We all know that LinkedIn was hacked and lost at least 6.5 million hashed passwords, or at least that’s how many were was posted. Besides changing passwords, is anyone thinking about their LinkedIn lock-down/security settings? What about other social media? See further below instructions for locking down LinkedIn, Facebook, Twitter, and Google+.
Change Your Passwords (Plural)
Firts, get your LinkedIn password changed right away. LinkedIn says that if you can log in, you were NOT compromised, but don’t trust them–always manage your own security, and don’t depend on the word of others.
Second, change the password of the email address you sign into LinkedIn with, whether you use the same password for both or not. I’d also change the password for any other application that you have shared with LinkedIn just to be safe. You probably haven’t changed those passwords in ages anyway. Then jump over to your other social media (and eHarmony if you’re lonely) and change those passwords too.
Third, if you don’t use a password safe yet, get going. This allows you to choose better passwords and safeguards the ones you write down. I recommend Bruce Schneier’s free Password Safe (It’s one of My Favorite Windows Software).
Lock Down Your Social Media Configurations
Fourth, check all your social media configurations. Security Monkey has links to the lock-down guides on his blog for LinkedIn, Facebook, Twitter, and Google+. I’d suggest you skip his long introduction and go straight to the bottom for the links.
Think through the suggestions carefully, as some of them are heavy-handed. For example, on Twitter, the guide suggests 1) not using a picture in your profile, and 2) protecting your tweets, which means only those followers you specifically approve can read your tweets. The LinkedIn guide also says you should not use a picture of yourself (strange!) in your profile. Even so, I still recommend thinking through all the configuration suggestions, as some options may surprise you.
The 2-page guides also contain basic information on using the applications, which is good for newbies.
Get Used to Getting Hacked
Companies get hacked all the time, but this one was a little closer to home for most people. But getting compromised is the new reality–so get used to it. In the past 5 years, companies have allowed MY information hacked at least 2 times (not counting LinkedIn) and my SSN was used by someone else. Two immediate family members have had their info compromised at least 2 times also (different companies than mine).
By the way, you and your company are probably already hacked without you knowing it. At home, when is the last time you ran antivirus, MalwareBytes*, AdAware*, and Spybot Search & Destroy* scans on your home PC? When was the last time you backed up your critical files?
* All these applications are free!
At work, how do you know you’re not compromised? Do you diligent scan AND monitor your network? Do you consistently review logs? If not, and sometimes even if you do, you won’t catch all intrusions.
One company I worked for had a server in the DMZ hacked (a server that the business division would not allow the server team to upgrade). When we did forensics on the server, we discovered it had been hacked 6 months previously too. After the hack, the business team allowed us to upgrade the server and the application worked just fine–AMAZING!
Configure AND Respond
You can’t really control whether you get hacked–there’s just too many pieces of hardware involved, too many drivers, applications, and configurations, and too many fingers touching all of it. BUT you can control how well you monitor your network, review your logs, and respond to an incident. I didn’t say it was cheap.
Since you can’t prevent yourself or your company from being compromised, having a good incident response plan is critical, and of course, you need to test it. And that means your backups at home, too.
3 responses to “LinkedIn Hack: Don’t Just Change Password, Reconfigure”
Good post and some timely advice. I’ve shared this one around a bit for some of my less “hackery” friends.
Good to hear from you again. Thanks for the shares. I’m looking forward to your new series of posts on website breaches/ecomm.
If you’re into forensics, check out Grayson’s blog at http://eyeonforensics.blogspot.com/
Good one. Like the previous commenter stated, timely post and good advice.