My LinkedIn password was stolen in the mass leak. Here's how to find out if yours was too

UPDATE 11.30am: LinkedIn - the business networking and job seeking site used by 500,000 New Zealanders - has pledged to email those with compromised accounts after 6.5 million passwords were stolen.

Although millions of passwords were nicked, it seems only around 300,000 have been posted online as plain text.

My account is still functional (LinkedIn says it has suspended passwords on compromised accounts). 

Still, if I was one of the 6.5 milllion (and bad news, I am, keep reading) then I would expect an email from LinkedIn. I'm still waiting.

I found out because I was watching online as a couple of local tech gurus wailed about their LinkedIn passwords being compromised.

First ex-Microsoft CTO turned consultant Brett Roberts, then NetSafe chairman and IP lawyer Rick Shera (ironically, one of those I talked to about mandatory data breaches for the Privacy Act update story - see link below). 

Brett found out his password had leaked (but not cracked) by hitting LeakedIn.org; Rick through hitting LastPass.com/linkedin.

Both sites led you type in your password to see if it was among the 6.5 million leaked. LeakedIn also tells you if it was one of the 300,000 that were subsequently cracked (or guessed) by the hackers (mine wasn't).

I don't know the province of LeakedIn, but Lastpass is a reputable password vault.

The best course of action: if you use LinkedIn, don't wait for an email (or for the hackers to maybe eventually crack your password). Just change it now. Start at LinkedIn.com/settings

And remember, if you've been lazy (guilty) and used the same logon for online banking, Trade Me or other site ... you've got to change it there too.

UPDATE 9am: LinkedIn has now confirmed that some members' passwords were stolen by hackers. It has not said how many were affected.

In a post, the company says affected accounts' passwords have been suspended.

Members with compromised accounts will shortly receive an email from LinkedIn with instructions on resetting their passwords. 

Perhaps mindful that the mass reset poses an opportunity for hackers to "phish" (send emails posing as genuine LinkedIn reset messages), LinkedIn also warns: "There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email."

Through a post on one of its blogs, LinkedIn is warning its members about password best-practices - though stopping just short of telling people to change their passwords.

The alert follows news reports - still to be confirmed by LinkedIn - that Russian hackers have put details of 6.5 million hashed passwords up for sale (to put that in context, the business network says it has 500,000 member in New Zealand and 150 million worldwide).

Anecdotal evidence indicates 300,000 of the stolen passwords are now online as clear text

LinkedIn spying on its own members?
Meanwhile, LinkedIn has responded to an allegation by a (hitherto little-known) outfit called Skycure Security, which says the business network is spying on its own members.

Skycure said the calendar feature in LinkedIn's iOS (iPhone, iPad) app not only sends details of basic meeting time-and-place details to LinkedIn servers, but also a copy of any meeting notes you make.

LinkedIn replied that the information is sent securely, on an opt-in basis, and that "we do not share or use your calendar data for purposes other than matching it with relevant LinkedIn profiles". Hmn. My italics. 

Nevertheless, LinkedIn today said it would stop collecting meeting notes, and add a link that would better explain its privacy policy. Good stuff.

The password dilemma
In its post addressing the possible password hack, LinkedIn has a series of tips to follow when changing your password 

They are worth following. The more complicated you make things, the harder life is for hackers trying to guess your password (though I often think - surely hackers, and their automated software, have long ago clocked to the fact some people substitute a "3" for an "E" and a "0" for a "O" and so on).

And a number of sites commenting on the LinkedIn breach have recommended that people use a password vault - an online service that lets you keep a list of all your logons in one secure place.

Granted, it is difficult to remember a different, complicated password for every site you access.

But if you're organised enough to arrange a password vault, you're probably following good security practices anyway - and there's still that one point of weakness in that the vault itself requires a password.

And the general problem that most sites let you reset your password as long as you've gained access to an email account tied to your account.

I don't know the perfect solution. But during a long lunch with a security vendor, I was surprised to learn one of its security experts simply kept a hardcopy list of his passwords in his wallet. If his wallet got lost, he would know to change them. 

Mandatory disclosure
As a LinkedIn member, I would have appreciated an email from the company alerting to the possible breach rather than just posting a company blog (which some people will find through media reports name-checking it, and others won't. LinkedIn has also alerted people through its Twitter account, followed by 171,000, and stories about the hack have appeared on its news story feed).

The Law Commission recommended that the update of our Privacy Act, due later this year, including a provision to make it mandatory to inform customers about a data breach (yup ACC, that includes you).

Justice Minister Judith Collins has indicated that mandatory reporting will be included in the new legislation.

That's good - but it will also be interesting to see how the new law proposes to deal with services, like LinkedIn, Twitter and Facebook, that operate internationally.