Earlier today I saw a tweet from some people in the security field reporting that LinkedIn had recently been hacked, with millions of passwords and email addresses collected from their database of professionals. Along with the news came a number of people strongly suggesting that people who use the web service change their passwords for the site immediately to (hopefully) prevent their accounts from being taken over for nefarious reasons. In my case this required a quick trip to Random.org to generate a nice, long string with numbers and mixed case characters, and a single password update1. For others this could be much more devastating.
If it turns out that hackers were able to steal away six-and-a-half million passwords with matching email addresses then people may need to update a lot more than just their LinkedIn passwords. Studies have shown time and again that most humans take the easy road and have between one to three passwords in use at any given time. Most people I know have just one password that they use online for all of their services. This is just crazy. If somebody gets an email/password combination from an unsecured system, then just about any online service someone might use could be in jeopardy.
How many services use an email/password combination to grant access to an account? Dropbox, Twitter, Evernote, GMail (and other webmail services), and iTunes are five that I can think of off the top of my head, and you probably know even more. Of the 6.5-million accounts, what are the odds that 80% or more use the same password for LinkedIn that they do for these other services? What about services we rarely use, like the various government online taxation sites? Banks?
It's scary to think that hackers who may not have the best interests at heart are sitting on a goldmine of personal information with something as simple as an email address and salted password.
If you do use LinkedIn, I strongly urge you to change your password right now. Don't even finish reading this sentence. Go and do it. If you use the same password for many different sites, then go and change a bunch of different sites. There is really no excuse not to.
