Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
Scripps Employees Called 'Hackers' For Exposing Massive Security Flaw
LinkedIn shows technical savvy, deactivates Gawker-compromised accounts
It looks like at least one security team has their finger on the pulse: LinkedIn, after hearing about the Gawker Media hack, obtained the database of email addresses and cross-checked it against every member of LinkedIn. If a match was found, the account was immediately deactivated and an email sent to the user, forcing them to change their password.Judging by a thread over at Hacker News, other tech-savvy companies might be following a similar process, including Blizzard, the operator of World of Warcraft.
Comments
13
Subscribe to commentsDavid GillingDec 15th 2010 9:02AM
OK we get it! Gawker sucks because they don't care about security! Now stop making every single article remind us of it!!!
Lifehacker is 1000 times better than DL squad anyway, so stop being such a**-holes!
Sebastian AnthonyDec 15th 2010 9:21AM
@David Gilling Hey, we are huge fans of Lifehacker! This has nothing to do with the _quality_ of the Gawker sites.
Michael RoseDec 15th 2010 8:57AM
It may have shown technical savvy, but not so much on the user communication side. The account suspension emails did not include any reference to the Gawker breach, so many of us were left to wonder aloud what had happened.
This was also a bit of an overreaction, since there is no indication the accounts were actually at risk of being compromised unless folks used the same password for LinkedIn -- which, granted, some of them may have done.
Sebastian AnthonyDec 15th 2010 9:19AM
@Michael Rose Oh, they didn't mention why they had been deactivated? That's a little off-putting, then :)
I think deactivation was probably the best resolution -- at least, I can't think of a better way to handle it.
Ian HendryDec 16th 2010 8:13AM
@Michael Rose Agreed Michael. Accounts that were NOTd comprimised still had their passwords disabled without explanation -- mine included. When an email did come round it was sent from the domain rnmk.com but LinkedIn branded, so looked like a phishing attack. This wasn't tech savvy, it was customer ignorant. More on our blog at http://bit.ly/dX2Yif.
AkbarDec 15th 2010 9:44AM
I feel like this whole thing was handled pretty well by all three companies mentioned in the post -- I got an e-mail from Gawker telling me of the breach, followed by e-mails from Blizzard and LinkedIn. Blizzard's was easily the best, as they sent me two e-mails -- one read as a very standard password reset request e-mail, the other was a special e-mail letting users know they'd reset their passwords due to the Gawker breach. While LinkedIn's e-mail did {not} mention the Gawker breach (they sent one out later in the day that did), they did a good job of not putting any links in the e-mail, so I knew it wasn't a phishing attempt and I took it very seriously.
Personally, I thought it was well above and beyond for those two companies to look after me because I used the same e-mail address in both places (and to be honest, I believe I had the same password for at least one service along with Gawker -- I don't any more).
I'm also really {really} confused by all the lifehacker v. ds stuff going on in the comments here -- I never saw them as competing blogs, you guys cover different topics (with some natural overlap)
Sebastian AnthonyDec 15th 2010 9:43AM
@Akbar I actually got an email from Gawker, but didn't find my name in the list -- so I guess I got lucky, or something like that!
Ignore that guy's comment about Lifehacker vs. DS. As far as I know, we have a very good relationship. We cover a lot of their great finds, and vice-versa :)
xxdesmusDec 15th 2010 10:12AM
I actually found this ridiculously annoying for them to automatically do "on my behalf". Facebook did the same thing by the way -- also incredibly irritating.
Sebastian AnthonyDec 15th 2010 10:15AM
@xxdesmus Woah, Facebook too? That must've been quite a few disabled accounts...
I can imagine it's annoying -- but what other alternatives are there?
The idea of 1.5 million compromised Facebook accounts is terrifying for all concerned :)
Brian CarnellDec 15th 2010 10:53AM
LinkedIn wasn't savvy, it was stupid. So was Blizzard. Just because I had an account with Gawker and LinkedIn didn't mean I used the same passwords for both.
But the big problem with those emails was encouraging people to click on links in the email to go manage their accounts. Seriously? And Blizz wonders why its customers are so frequently hacked.
Nakul SharmaDec 15th 2010 10:53AM
My email was in the database and yahoo deactivated my account without telling me and i found out after my emails were not sent by SMTP (which i still can't do even after reactivating account).
VarunDec 15th 2010 3:27PM
This sounds like an incredibly stupid idea. I really hope that they checked if the password hashes matched too, otherwise they've just pissed off a lot of people - which is exactly the wrong thing to do if you're a tiny (and shrinking) network like LinkedIn.
jjDec 15th 2010 3:47PM
I actually got my LinkedIn notification BEFORE my Gawker one, oddly enough. Although the process sounds rash, and is very annoying for the users, I'd rather have my account deactivated with a notification sent to them than to have someone using my professional network account to advertise berries.