Gawker and LinkedIn

Post date: Dec 14, 2010 11:11:35 PM

Recently, the Gawker family of websites was hacked by someone claiming affiliation with Anonymous, the distributed hacking/activist network.

I was possibly affected, since I have an account with Consumerist, which is part of Gawker (or at least used to be?) and because of that I got an email from Gawker suggesting I change my password, which I did. I had forgotten about that account and had yet to create an entry for it in my KeePass keyring, which means I likely had one of my older, replicated-across-many-sites passwords set for that account. Fortunately I have set unique passwords at most sites by now so any damage to me should be minimal. My new Gawker Consumerist password is unique now, so even if it is compromised again, any damage is contained just to that site; a hacker could not use it to log in as me on another site.

What's interesting is an email I just received from LinkedIn:

LinkedIn Notification   Dear Lewis,  We recently sent you a message stating that your LinkedIn password had been  disabled for security reasons. (Note: If you have more than one email registered  with us, you will receive more than one password reset message. You only need to  act on one of them.)  This was in response to a security breach on a different site, Gawker.com, where  a number of usernames and passwords were exposed. We want to make sure those  leaked emails and passwords were not being used to attack any LinkedIn members.  There is no indication that your LinkedIn account has been affected, but since  it shares an email with the compromised Gawker accounts, we decided to ensure  its safety by asking you to reset its password.  If you haven't done that already, now is a good time to follow these steps:     1. Go to the LinkedIn website.    2. Click on "Sign In".    3. Click on "Forgot Password?" and follow the directions on the website.  Please keep in mind that the best defense against these types of attacks is to  have unique passwords for each site you use. You can always search our support  site and our blog for more security tips.  We apologize for the inconvenience, but we feel this action is in your best  interest. Thanks for your immediate attention to our request.  Sincerely,  LinkedIn Privacy Team

Note LinkedIn's chain-of-thought here:

  1. Gawker was compromised, exposing its users' passwords
  2. LinkedIn and Gawker probably have users in common
  3. Some (or many!) of those "in common" users will use the same password for both LinkedIn and Gawker
  4. To be on the safe side, LinkedIn is mandating all users change their password

It's probably a bit of overkill, but kudos to LinkedIn for playing it safe.