Questions for LinkedIn

  1. Approximately 6,000,000 password hashes have been released. How many users are you notifying?
  2. When did you begin to use salted hashes for password storage, and how were/are users phased into the new scheme?
  3.  From your most recent blog post, it seems possible that not all accounts are using the newest scheme. How many password storage mechanisms are currently in use?
  4. Why was unsalted SHA-1 selected for your prior scheme? Were there architectural constraints that led you to trade security off against convenience or performance?
  5. What precisely is the current password storage method? Upon what basis was it selected (especially if it is not bcrypt, scrypt, or PBKDF2)?
  6. What information other than the hashes, was exposed in this incident?
  7. Are you confident the extent of the breach (assuming it was from the outside) has been determined?
  8. What was the root cause of the exposure (eg., SQL injection)?
  9. From various comments, it seems the hashes may be from passwords a few months old. Can you confirm this, and provide an estimated age for the exposed hashes?
  10. When were the hashes obtained?  Were they obtained from a live system some time in the past, or were older hashes (eg., from a system backup) obtained recently?
  11. When, and via what means, did LinkedIn become aware of this exposure?
  12. What follow-up actions, beyond user account locking and notification, are being taken?
Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s