Last week, LinkedIn became the latest social media company to endure a major security breach after more than six million of its users’ passwords were stolen and posted by hackers on a Russian web forum, inviting other hackers to help decrypt them.
All of the 6.5 million leaked passwords were immediately disabled by the network. In addition, nearly all were encrypted and although hackers were able to decrypt some, none were available with their associated email logins. LinkedIn has also not had, thus far anyway, any reports of accounts being breached due to the attack.
Nevertheless, some commentators have been hard on LinkedIn. Encryption alone is not considered enough and just two days after the attack, approximately 60% of the passwords had been decrypted. LinkedIn has since faced questions as to why the passwords weren’t salted to fall in line with industry best practices.
The most important loss LinkedIn will face from this is brand and reputational damage. Each LinkedIn user is worth about $70 (£50). If even 1% of users who had their passwords stolen lose faith in the security of LinkedIn and move their social networking elsewhere, that would be a loss of $4.5m. A chance of a lawsuit for a breach like this is remote; very little, if any, private user data was actually at risk. Instead, managing the media’s response and preventing customers from losing faith will be the company’s primary concern.