LinkedIn and eHarmony: a lesson in online identity via email

finger printLate last year I wrote about how important an email address is, and suggested that your email address is really part of your identity. That post seems more relevant today than when I wrote it, as this week we learn that both LinkedIn and eHarmony have had user credentials stolen.

LinkedIn confirmed that some of the passwords stolen do correspond to their users accounts, but that those passwords have since been disabled. Yesterday eHarmony confirmed a similar problem, on their blog. We can assume that for every stolen password the attacker has the corresponding email address, so is able to cross reference user details against cracked passwords. LinkedIn estimated that around 60% of the stolen passwords had already been cracked; this isn’t a surprise given what we know about the commonality and simplicity of users passwords, and the tools available to attackers such as Rainbow Tables.

LinkedIn’s disabling of users’ passwords is a good first step, but the password is only half the problem. Given that the majority of these services require users to login with, or at least register, an email address it is likely that the users credentials could well be valid across a variety of social media sites. I have today seen first-hand proof of this quite close to home, as no sooner had news broken of the LinkedIn hack than one of my colleagues received an alert from Facebook telling them someone had logged in from a new location and device; same email address and of course same password on both sites.

The problem highlighted here, and one that many of us are guilty of, is sharing passwords with many accounts, whilst the common factor is always the email address. Using a different email address for all your digital and social identities is impractical, using the same email address and password is simply convenient but lacks security; we trust our online service providers to keep our identity secure. But we’re learning the hard way that sharing passwords is and has always been a bad idea. Unfortunately RSA Security, Epsilon and HB Gary also found this out a little too late.

Mimecast’s own research released this week tells us that IT departments are worried about the risk presented by social media; fully 59% of IT teams we spoke to believed that social media usage at work increased the risk of corporate information leaks. It would seem that the users’ convenience is also a significant contributory factor to that risk. I would bet that some LinkedIn users probably login with their work email address and favourite password; I shudder to think what other online corporate services that email address might gain access to.

The lesson we should take away from the LinkedIn and eHarmony breach is twofold; we must learn that our email address is now a vital part of our identity and we should consider how it ties us to so many of our online services. Secondly there is a delicate balance between convenience and security. Sharing credentials between online identities means if you lose one you could lose them all. There are a number of tools that will let you generate and store complex passwords locally, then auto submit those passwords as login credentials to websites; whilst that might seem onerous the risk of compromise of all your online identities is small. IT Managers should also take this opportunity to educate their users on the benefits of good password discipline, password complexity and rotation.

Protecting your online identity is a 21st Century problem that one needs to take care of, convenience and laziness are your own worst enemy.