3 Reasons to Be Worried About the LinkedIn Breach
Last week it was announced that Russian hackers had stolen hundreds of thousands of passwords to LinkedIn accounts. This news prompted an outbreak of frantic yawning, as the Internet collectively tried to remember if they had a LinkedIn account and whether there was anything actually in it. "I think I just had a link to my old boss from two jobs ago," the Internet eventually decided, sighing with relief. "Also maybe that one guy from high school who now has his own unpopular Web design business."
And although the Internet had collectively decided this wasn't a very big deal, knowing that a contrarian take makes for excellent linkbait, I immediately thought the exact opposite thing. Needing to come up with some sort of evidence to support the claim I'd decided I was going to make, I set to the task of research: diligently reviewing security journals and whitepapers, bravely ignoring the facts that I didn't like and shrewdly doping my editor's coffee before hitting him up to fund a trip to Russia to track down the hackers themselves.
You'll never get a Pulitzer if you aren't willing to break a few eggs.
When I arrived in Russia, I asked for directions to the nearest, shadiest dayclub, following a tip I'd received from reading spy novels during the entire flight. Thumping electronic beats greeted me as I descended the steps, leaving the daylight to enter a dark, cigarette-reeking club, full of just the illegalest-seeming dudes you've ever seen. You know the type: shaved heads, large fur jackets, carrying huge sacks with dollar signs printed on them. I strode confidently up to the shadiest guy I could see and started asking questions, which is how I found out exactly why we should all be very concerned about LinkedIn getting hacked.
Cracked: What is happening, my man?
Russian: Who are you?
Cracked: I should have started there, shouldn't I? I'm from Cracked. We're essentially the Voice of the West, and I'm doing research on hacking groups in Russia.
Russian: I don't know anything about that.
Cracked: Would a brand new pair of Levis loosen your memory hole?
-I turn around and walk away from him, modeling the single pair of Levis I wore for just this circumstance-
Russian: -long blank look- That is very insulting.
Cracked: You haven't seen me walk toward you yet. That might change your mind.
-It does not-
Russian: I think you should go.
-One of the other Russians whispers into his ear. He listens for a while, a thoughtful look on his face, before nodding. Looking up, he smiles at me-
Rodion: Actually, maybe I can help you with this. Call me Rodion.
Cracked: Fantastic. My name's Bucholz.
Rodion: That's an interesting way you pronounce your name.
Cracked: It is, isn't it?
-Rodion sits down in a booth and gestures for me to join him. As best as I'm able to in my rather-small Levis, I make myself comfortable-
I ended up standing on the table.
Cracked: So. What is the deal with this LinkedIn hacking thing? Are you guys after our resumes or something? Do you really need to know what that one intern we all worked with four years ago is doing now?
Rodion: Well, understand that it's not me personally who did this hacking.
Cracked: You tell your story, and I'll understand what I'm able to.
Rodion: -He snorts in amusement- All right. One reason a person might want to do this is for identity theft.
Cracked: I try not to post my credit card numbers on my LinkedIn profile, thanks. And even if I did, honestly, a hacker could only really improve my credit rating.
Rodion: The problem is more subtle than that. LinkedIn is full of personal information: email addresses, street addresses, friends, important dates. All of that can be used for identity theft. For password recovery, for example; a lot of this info could be the answer to those secret questions.
Cracked: Oh shit. I did put my first pet's name down as a reference on there.
Rodion: Interesting. What was your pet's name?
Cracked: Skeletor. Skeletor the cat. He uh ... he wasn't well. And he was evil, so the name kind of fit thematically as well.
-Rodion nods thoughtfully, while beside him one of the other Russians scribbles something down on his phone-
Cracked: Hey, are you guys reporters, too? Man, what a coincidence.
Cracked: I find it a little hard imagining someone trying to steal my identity. Because being Chris Bucholz is a hard road to walk down.
Rodion: There are other reasons why they did this; identity theft probably isn't even the main one.
Cracked: What's that?
Rodion: Well, by getting a bunch of people's LinkedIn passwords, the hackers may have gotten passwords to a lot of other sites as well. For example, do you use the same password for your email and LinkedIn?
Cracked: Oh ........ derp.
Rodion: So now the hackers could log in to your email.
Cracked: Shiiiit. And I'm right in the middle of a huge cyberstalking/flame war right now with Fred Savage. I would be fucked if any of those hateful, sexy musings got out.
CHRIS WHY HAVE YOU STOPPED CYBERSTALKING ME!?
Rodion: It gets worse. Remember that most password reset functions send the new passwords to your email account. With your email account, hackers could get into almost everything.
Cracked: It sounds like it's about time I should change my passwords.
And maybe come up with something a little more secure than "keyboard."
Rodion: You know what? Let me help you out. This interview here. You're recording it? For your readers? You're just going to print this all up verbatim?
Cracked: Of course. I wouldn't dare paraphrase anything you said; Cracked is synonymous with journalistic ethics. Well, that and "broken."
Rodion: In that case, remind your readers that they can reset their LinkedIn passwords here: http://10.34.255.1/linkedIn/passwordReset.html
Cracked: That is almost impossibly helpful of you. It occurs to me that you seem to know an awful lot about this crime that you didn't commit.
Rodion: A coincidence, I assure you. In my line of work, it helps to have a mindset like these hackers.
Cracked: What's your line of work again?
-Long blank stares-
Cracked: I'm going to retract that question.
Rodion: There is also one other thing you should watch out for called spearphishing.
Cracked: Is this a thing that happens to foreigners in Russian dayclubs? Because again, there is one pair of Levis in it for you if I can avoid finding out what that is.
Rodion: No. Have you ever received one of those emails from a Nigerian prince, asking you for help moving money out of his country?
Cracked: A few. It's a bit of a cliche now, though, isn't it?
Rodion: It is. But what if you got the same offer from a trusted friend?
Cracked: Boy, that would be nice. Unfortunately, Rodion, I'm an incredibly reserved, even isolated person.
Rodion: I'm sorry to hear that.
Cracked: I had a bad experience in a three-legged race as a kid, and since then I've just never been able to open myself up.
Rodion: OK. Well, let's say you did have friends ...
Cracked: I've tried saying exactly that, every morning when I wake up.
"It's going to happen for us today. IF WE CAN JUST STOP FUCKING UP."
Rodion: -Shakes his head- Well, then let's say a hypothetical person has friends.
Cracked: Oh, like a rhetorical trick. OK.
Rodion: Yes. And instead of getting a shady-seeming offer from a Nigerian prince, this person gets an intriguing offer from a friend. Or a former business colleague. Even if it's the same shady offer, it looks a lot more tempting because it comes from a trusted source.
Cracked: Oh, this. Yeah, Michael Swaim once asked me to send him $80,000 under similar circumstances.
Rodion: And did it work?
Cracked: Of course not. I sent $10,000, because, you know, I don't like him that much. And then when I found out the whole thing was a scam, I ended up looking pretty savvy.
Rodion: I've actually been thinking about just how savvy you are.
Cracked: That's another insane coincidence.
Rodion: I wonder ... do you think your readers would be interested in hearing of a foolproof method to avoid being spearphished?
Cracked: I haven't met any of them, but yes, I've kind of gotten the impression that they are supremely gullible. I think they'd be very interested in this.
Rodion: OK. But you'll have to trust me. That's OK, yes? We are friends now?
Cracked: Well, I ... I don't know that we're friends now exactly. But you have been pretty helpful ... Hmm. Do we have to hug? Is that ... is that how friends work?
Rodion: -The longest, blankest stare yet- Sure.
-We share a lovely hug-
Cracked: Thank you.
Rodion: You're welcome. So then. The secret to avoiding spearphishing. This will make your column. You will win all the column awards with this simple trick.
Cracked: I could use some acclaim. So what's the trick?
Rodion: I don't have it with me. It's a special document only hackers know about. But I can buy it for you. All I need is ... $500.
Cracked: I've only got a hundred on me.
Rodion: -He frowns, strokes his chin- One hundred and the Levis then.
Cracked: I was actually valuing the Levis at one hundred.
I'll spare you the details of the rest of the bartering; suffice it to say that my passport turned out to be way more valuable than I had suspected, a fact discovered when it fell out of my pants as I was removing them. The deal done, I was told to return the next day, giving time for Rodion to procure the spearphishing-prevention tips. This process unfortunately got snagged up in a few technical details, the two most technical of those being that Rodion disappeared from the face of the earth like a fucking specter, and the fact that I was arrested shortly thereafter for being in Russia without identification or pants.
Anyways ... if there's any family members, friends or fans of irony out there who are willing to send me $80,000 for various legal and trouser fees, it'd be greatly appreciated.