Today after widespread reporting that a Russian hacker had posted 6.5 million LinkedIn passwords on the Internet, the company officially confirmed the breach and urged users to log in and change their passwords.
But no one has yet talked about the incredible threat that remains even after users do update their password on LinkedIn – the vulnerability that remains on every other service that shares the same user login details.
In the past I’ve written about How I’d Hack Your Weak Passwords, and the most important thing to consider is the fact that most people use the same login name and password combination for many or all of the sites they log into. And hackers know this very well.
Most people think that in the grand scheme of things, losing your LinkedIn account is not a big deal. After all, what are they going to do – post some porn on your profile? But if you stop and think about it, LinkedIn uses your email address and password as a matching combination to get into their safe. And so do many other sites – Amazon.com for example. Or maybe your email account?
The value in obtaining the LinkedIn password list is not the fact that they can access your social media account. Its all the other stuff they can do with your password combination. Let’s look at a real example.
Let’s suppose you are one of the 350 million Google Mail users, and you used that email, and your same password, to create your LinkedIn account. Well, now a hacker can do the following:
- Obviously, get into your LinkedIn account.
- Access your Gmail account and read all your mail.
- Attempt to log into your bank (or Amazon or ANY other account configured with your gmail account as the primary email), and even if you have a different password they can send a password reset request to YOUR email at which point they can change your password, locking you out, and getting access simultaneously.
- They could now go through and have replacement credit cards sent to another address after changing it online, and then go through taking over the rest of your life.
So, with this one simple breach, a hacker can now order merchandise from your Amazon account, transfer money out of your bank, blackmail you with those private emails they found, and much, much more…
The only response for those 6.5 million users is to immediately log in and change your password, not only on the LinkedIn site, but on ALL sites that use that password and login combination. So please, for the love of God, protect yourself now – and help spread the word so others can take appropriate action too.