I am a pretty regular LinkedIn user, so the news that some unspecified number of LinkedIn users had their passwords compromised was of some interest to me.
Here’s what a recent post on their blog says:
“We want to provide you with an update on this morningâs reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts….” (from LinkedIn Blog)
Not that I would be all that harmed if someone hacks my LinkedIn account, but still, it does affect me. So far I have not seen an email from LinkedIn telling me that my own account is in trouble.
But, the thing that mystifies me is that they make it sound like user passwords are stored in the clear on their systems. Isn’t it elementary that one does not store passwords in clear text on any server? I won’t even give any links to back up this point as it is practically in Chapter one of any web development book.
So, either LinkedIn knowingly violated a totally elementary security best practice and stores passwords in clear text. In my opinion this is very unlikely.
Or, the news reports were purposely misleading because what actually happened would give away something that they don’t want to give away.
What could that be, I wonder?