Saturday, June 09, 2012

Cambia password de LinkedIn - Por si a caso

Hace unos días apareció la noticia en los medios de comunicación que un hacker había podido capturar de LinkedIn un montón de logins y passwords de usuarios. Lo curioso del caso es que se destapó el tema porque el "aparentemente novato" hacker colgó una parte de los datos pidiendo ayuda para la decodificación de los passwords capturados.

Días más tarde recibí este correo titulado Important update regarding your LinkedIn password recomendando el cambio de password de la cuenta de LinkedIn:

Important update regarding your LinkedIn password
We recently became aware that some LinkedIn passwords were compromised and posted on a hacker website. We immediately launched an investigation and we have reason to believe that your password was included in the post. To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event. While a small subset of the passwords was decoded and published, we do not believe yours was among them. The security of your account is very important to us at LinkedIn. As a precaution, we disabled your password, and advise you to take the following steps to reset it. If you reset your password in the last two days, there is no need for further action.
1. Type www.linkedin.com/settings directly into your browser
2. Type in your email address and press Sign In, no password necessary
3. Follow the on-screen directions to reset your password
Note: Do not reuse your old password when creating your new password. If you have been using your old LinkedIn password on other sites, we recommend that you change those passwords too. We appreciate your immediate attention to resetting your password and apologize for the inconvenience. Thank you,
The LinkedIn Team

Además en el blog de LinkedIn han puesto una nota explicando los motivos por los que recomiendan que los usuarios de LinkedIn cambien su password:
It is of the utmost importance to us that we keep you, our members, informed regarding the news this week that some LinkedIn member passwords were compromised. We want to reiterate that we sincerely apologize for the inconvenience this has caused our members.
From the moment we became aware of this issue, we have been working non-stop to investigate it. While we continue to learn more as a result of our ongoing investigation, here is what we know now:
Yesterday we learned that approximately 6.5 million hashed LinkedIn passwords were posted on a hacker site. Most of the passwords on the list appear to remain hashed and hard to decode, but unfortunately a small subset of the hashed passwords was decoded and published.
To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event.
Since we became aware of this issue, we have been taking active steps to protect our members.  Our first priority was to lock down and protect the accounts associated with the decoded passwords that we believed were at the greatest risk. We’ve invalidated those passwords and contacted those members with a message that lets them know how to reset their passwords.
Going forward, as a precautionary measure, we are disabling the passwords of any other members that we believe could potentially be affected. Those members are also being contacted by LinkedIn with instructions on how to reset their passwords.
We are also actively working with law enforcement, which is investigating this matter.
Finally, our current production database for account passwords is salted as well as hashed, which provides an additional layer of security.
We are working hard to protect you, but there are also steps that you can take to protect yourself, such as:
  • Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.
  • Do not use the same password for multiple sites or accounts.
  • Create a strong password for your account, one that includes letters, numbers, and other characters.
  • Watch out for phishing emails and spam emails requesting personal or sensitive information.
Our efforts to protect LinkedIn members impacted by this incident are ongoing and we will continue to keep you posted here.

No comments: