

LinkedIn forcing password resets due to Gawker hack - moses1400
http://www.centernetworks.com/linkedin-forcing-all-passwords-to-change

======
watty
I was not impressed by this. It would have been nice of LinkedIn to include a
more specific reason for requiring a password reset other than "We have
recently disabled your account for security reasons.". I was in panic mode
this morning thinking that someone had gotten into my LinkedIn account (and
email) and triggered my account to be locked.

~~~
tptacek
They were under absolutely no obligation to do this. Anyone could predict that
some subset of their users would get pissy about it. They did it anyways
because it was the right thing to do. My esteem for LinkedIn just grew by
leaps.

~~~
watty
I wasn't pissy about them resetting my password, I was scared that my LinkedIn
account and who knows what else had been compromised in relation to the Gawker
incident.

It was a good move by LinkedIn to force a password reset. It would have been a
GREAT move if they had told me it was precautionary instead of me having to
guess why my account was locked.

~~~
tptacek
Understand that all parties involved here were under time pressure. They
incurred a small amount of angst amongst their users, but may have averted a
very large amount of pain. They made the right call; they acted fast rather
than getting the messaging exactly right.

------
thenduks
The most interesting thing about this to me is that they're obviously only
emailing people who's emails were in the gawker data. Eg: I didn't receive one
of these because I don't have a gawker account. Very cool.

~~~
sbhat7
This would also mean they downloaded the copy of gawker's hacked database,
which is probably why they didn't provide more details.

~~~
thenduks
Definitely a possibility. There are some alternatives now though, like the
list[1] of MD5'd emails that has been circulating that you can use to check
against. That's how I confirmed that I wasn't in there, personally.

[1]: <http://www.google.com/fusiontables/DataSource?dsrcid=350662>

------
user24
I was really impressed about this. I changed most of my other password but
forgot about LinkedIn. I think it's really responsible of them to proactively
take the initiative on this.

------
gmurphy
Unfortunately for happiness, they reset my password after I'd already done so
myself.

~~~
tallanvor
Same here. I had taken this as an opportunity to change a bunch of passwords
even though they weren't the same as the one I used on Gawker.

------
vladocar
Yesterday I had to change my GMail & Twitter password, today I got mail from
LinkedIn to change my password. What is going on!?

Update: If your md5(email) is on this list
<http://www.google.com/fusiontables/DataSource?dsrcid=350662> Google, Twitter,
LinkedIn and probably other sites will ask you to change(reset) your password.

That happened to me.

------
whakojacko
Interestingly enough, my _former_ LinkedIn email was on the Gawker list but my
current email with them (to which they sent the alert) was not. Guess that
means they are holding on to all previous email accounts?

~~~
gregschlom
Yes they are, and they are even keeping track and which of those email account
are bouncing back.

See:
[https://www.linkedin.com/secure/settings?emadd=&goback=....](https://www.linkedin.com/secure/settings?emadd=&goback=.aas)

~~~
whakojacko
But I went even further, deleting my old email address from that list several
months ago. That page only shows my (current) email, which was not on the
Gawker list. LinkedIn seems to be keeping around the old email addresses, even
after you delete them.

------
clark
LinkedIn is one of the sites that limit the length of your password and what
it can maintain. I've emailed their staff many times, and they simply respond
that those are the password restrictions.

~~~
nodata
Did the staff respond with _why_ those are the password restrictions?

------
dlnovell
Is LinkedIn completely down for anyone else? The site's been devolving all
afternoon for me. First it said there was a problem and they'd redirect to the
homepage in a few minutes. Then there was a LinkedIn-branded Sun ONE Web
Server landing page that just had features of ONE for the last hour or so. I
just checked back and now it's a totally stock landing page without the
linkedin logo. Something seems to be seriously FUBAR today.

------
brunoqc
Blizzard did it too for the battle.net thing.

~~~
rufo
Yes, as well as an explanatory note so you knew exactly what was going on -
while I appreciate the sentiment, I wish LinkedIn would've done the same.

------
jamesjyu
And now it seems like they are down, just after I reset my password:
[http://img.skitch.com/20101214-jk1wagxdf1kn4af4eq9tw2s4na.jp...](http://img.skitch.com/20101214-jk1wagxdf1kn4af4eq9tw2s4na.jpg)

Something about this makes me feel nervous..

~~~
gkelly
I'm not getting any outage messages, but when I submit the new password form,
I get "An unexpected error has occured." And my new password doesn't work, so
I'm still locked out.

------
forkqueue
And no doubt the phishers are already cooking up emails to this effect too...

~~~
joezydeco
Got an email from mint.com long after I closed that account, asking me to
verify a bank connection that wasn't working.

Headers look legit, but man things like these are going to bite people _hard_.

------
siddhant
Looks the same to me. Is it only for the premium accounts?

~~~
ojbyrne
As people have mentioned above, it seems to have only been for people whose
emails were in the gawker dump.

------
cookiecaper
I think it's a little silly to force this site-wide. In my experience, most
people don't make accounts to comment on tech blogs, and those that do are
probably already privvy to the need to change a password when a big database
of passwords containing or potentially containing your password is released.

I think it is weird for big companies to act like this has such far-reaching
effects; 1.5 million users is not that many in the overall scheme of things,
and how many of your users intersect? Apparently LinkedIn thinks that most
business people who read that a LinkedIn account would make employers think
you were smart and cool also had an account with the same credentials at
Gawker.

~~~
tptacek
Huh? They have a list of email addresses for which passwords were disclosed.
If your email address was on the list and you held a LinkedIn account, they
zeroed out your password and made you reset it. They didn't reset _everyone's_
account, did they?

~~~
cookiecaper
My understanding was that they had reset everyone's account. I don't think it
was defined or not in the article. If they haven't reset everyone's account,
disregard my comment, sorry for the misunderstanding. :)

~~~
thenduks
Mine was definitely not reset, and I don't have a gawker account. My wife's
account was also not affected (and likewise, she has no gawker account).

Considering the availability of the list of email addresses it would be pretty
silly to force a reset for everyone.

