You might have heard that LinkedIn had its password database breached, and news of it is trickling out today. There are a number of write-ups about it in most of the usual places, and Martin McKeay has a post with links to some of the better ones. The reason I’m writing about this is not to alert you, or that I’m annoyed I have to change another password. Two things really bother me about this.

The first is the eerie similarity between this event and the Gawker password breach I wrote about almost exactly eighteen months ago. Both of these events made news because they were leaks of unsalted password hashes. And, although I didn’t write it in my blog post that day, two of my accounts (other than Gawker) got locked out that day: Google and LinkedIn. In LinkedIn’s case, they detected that an email address associated with my account was part of the Gawker breach, and so they automatically disabled my account. So what is amazing to me is that LinkedIn was so proactive in dealing with Gawker’s password breach on one hand and on the other didn’t even fix their own systems which had the same root problem.

Second, is that ironically you could learn about this problem from Gawker well before LinkedIn bothered to comment. And I just logged in to LinkedIn and there is no notice, no link to the blog posts, no suggestion that I may want to change my password.  They did admit that there are definitely some accounts which are breached and they’re informing holders of affected accounts and disabling their login. What constitutes an affected account? Accounts which have passwords which appear in common rainbow tables (like mine did in the Gawker breach)? Or, all those which had an unsalted hash? Since I don’t know, I’m changing my password anyway.

I’m amazed that LinkedIn could act so boldly in the face of Gawker’s breach, and yet was not able to implement changes to protect themselves from the same type of attack given an eighteen month head start. Shame on you, LinkedIn.