It’s been more than 24 hours since the first reports that hackers stole passwords from millions of LinkedIn users. The company’s response so far indicates it has learned nothing from other hacking episodes and chosen instead a head-in-the-sand approach that leaves users out to dry. LinkedIn should instead have taken a page from Sony, which has learned the hard way about how to handle a security breach.
In April of 2011, Sony blew it badly when it waited a week to tell PlayStation owners about the “largest identity theft in history,” in which hackers took credit-card numbers and email addresses. Sony customers responded with outrage and a lawsuit. In October, the hackers struck again but this time Sony responded with a rapid blog post and an email describing what had happened and who was affected (even though the hack affected fewer than 0.1% of users). The company’s disclosure was hailed with dozens of thankful messages.
Contrast the October response by Sony with LinkedIn’s performance yesterday. Even as news sites posted alarming early morning messages that warned LinkedIn users to change their passwords, the company said nothing. By late morning, LinkedIn issued a patronizing blog post saying it was investigating the hacking reports and offered “best practices” for its users to follow. By mid-afternoon, the company issued a follow-up post that finally acknowledged some passwords had been compromised — but also reiterated its earlier intimation that users were in part responsible for the situation.
Ironically, by the time that LinkedIn finally admitted something was wrong, tech types had already provided a tool that let users check for themselves whether their accounts were among the 6.5 million that had been cracked. The tool said my own password had been compromised and it appears that even those who had deleted their accounts were in this position:
Security experts are equally unimpressed and are blasting the company for using half-assed encryption techniques. The situation appears even worse for those members who also belong to dating website e-Harmony, which was also hacked. As one security expert told Reuters:
“When somebody has the keys to your business and personal kingdom, that gives them all sorts of powerful information. They might be able to use it for years.”
Despite all this, LinkedIn is maintaining its implausible claim (remember that this is a sophisticated technology company) that it was the last to know that millions of its users’ accounts were being dangled on the internet.
As this debacle unfolds, LinkedIn continues to do remarkably little to tell its users about what exactly is going on. Even though it pledged to email affected users, the only message I’ve received is another of those infernal promotional emails from which it’s impossible to unsubscribe.
The company’s response so far has been apiece with its pattern of overall contempt for its customers (such as permitting its app to vacuum up users’ meeting notes). For this it will be punished — not just with consumer anger but, almost certainly, a lawsuit.
LinkedIn should have learned from Sony. Coming clean right away is better for all involved. And people will like you better too.
(Image by Suzanne Tucker via Shutterstock)