OMG! My Linkedin password was leaked. What now? Change my password and wait for another breach!
Yes, it’s happened to me! Security Consultant/Hacker got pwned ;)
On the 20th of May 2016, just days after the Linkedin confirmed yet another huge data breach I’ve tweeted this:
I was 99% sure that my password was not a part of the database as I did not noticed any suspicious activity under my account. I was using a ‘strong’ password for my Linkedin account and I sleep well. Four days later I received an email message from Have I been pwned website proving that I was wrong:
A quick look at the same website confirmed this and here is where the story begins.
In this post, I will explain to you, how you can check was your password leaked, how to check the Linkedin login history of your account, how to change the password and how to enable 2FA. Let’s start.
So, first at all go to the Have I been pwned website and type in your email(s) that you are using most often or within Linkedin website. If your email was leaked, you will see a big red banner as above. But don’t worry, that doesn’t mean that your password was compromised. Well, at least if your password wasn't ‘123456’ ;) I encourage you to use the Notify me when I get pwned and add your email address(es) so you will know in the future if the bad happen.
Now it’s gets even better. If you are a SysAdmin or somehow responsible for your company’s DNS or for security inside-out you can verify the domain your company own and check was any of the corporate emails included in the database. The link is here: https://haveibeenpwned.com/DomainSearch
Immediately after receiving my email, I logged in to my Linkedin profile and navigated to check my active sessions. You can do the same, here is the link: https://www.linkedin.com/psettings/sessions.
Good news! I have seen a couple of active sessions, but only from Dublin, Ireland and only from an IPs that I recognise. So no panic! It’s time to change my ‘old password’. Let's stop here for a moment and ask yourself “When did I change my password last time?” If you are asking me — about 4 year ago! Yes, I know. I should do it more often but… you know Security Consultants are buys those days.
To change the Linkedin password, go to this link: https://www.linkedin.com/psettings/change-password or find the same link under ‘Privacy & Settings’ under your profile. I encourage you to use the ‘Sign out of all sessions’ button below the new password, to make sure that you will be signed out from all devices, mobile phones and other locations (for me it was around 16 active sessions as long as I remember). To generate a new password I used the LastPass manager, saved it and confirmed everything. My new password is now longer, random, and “more secure” ;) Happy days.
Following the easy procedure of changing my password, I decided to active the 2FA, just because I can. This can be found under the Privacy > Security > 2FA or direct link https://www.linkedin.com/psettings/two-step-verification. After adding my mobile number I received a verification text message and that’s it! Password changed, 2FA enabled — happy days :) The last thing I did (but it is not necessary) was that I’ve cleaned all my browser’s cache/cookies and data.
Time to summarise and get some lesson from this mess. This is my summary:
- Change passwords more often — let say once every 9–12 months.
- Use password managers like LastPass, to keep a track of my new passwords. LastPass can change your passwords automatically if you allow that in settings.
- Use long, randomly generated passwords — usually over 16 characters (I like to keep them longer than 20 if possible)
- Enable 2FA where you can
- Don’t panic… it will happen again
You are probably wonder why I said “don’t panic” — we'll just because, from what we know the database was not in plain text, so the bad guys who get the passwords need to crack the SHA1 first. From what I checked, my Linkedin password was strong enough and I am pretty sure it will take someone long time to brake this.
If you want to read more about this, go to Troy Hunt’s page (link below).
Last week there was no escaping news of the latest data breach. The LinkedIn hack of 2012 which we thought had "only…www.troyhunt.com
If you like this post, please follow me, share this blog and post over the Twitter channel. More Security stories coming soon.