Privacy may be a joke to companies, but it's no laughing matter to the rest of us

Millions of leaked LinkedIn and eHarmony passwords, sensitive customer data stolen via P2P -- can't anybody do this right?

The next time you hear a company say, "We take your privacy very seriously," try to stifle that guffaw that wants to escape from your belly. I know it will be hard, because between Facebook's prying and Google's spying, it doesn't seem like any large organization gives a damn about your personal privacy.

This week brings us several examples of corporations treating their customers' personal information like confetti at a ticker tape parade.

[ Also on InfoWorld: Be very afraid -- your Internet privacy is in Congress' hands now, reports Cringely. | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]

A few days ago some 6.5 million LinkedIn passwords were stolen and put on display on a Russian hacker forum, along with another 1.5 million for the eHarmony dating service and an unknown number from music sharing network Last.fm.

These stolen passwords had at least two things in common: They were protected using an MD5 hash, but not very well (obviously). In all of these cases, the sites failed to "salt" the hash by tossing random characters into the mix, making the encryption much more susceptible to a brute-force attack. In brute-force attacks, code crackers throw random password phrases at each hash until a match is found. So far, more than half of the LinkedIn hashes have been unhashed. Nice.

What's at stake here? Just your professional reputation and your love life (not to mention your secret fondness for the Bay City Rollers). No big deal, right?

The most straightforward solution is to change your password for these sites. But be careful how you go about it. Almost immediately after news of the hack went public, phisher spammers started taking advantage of the LinkedIn breach by sending out fake emails urging people to reset their passwords, then redirecting them to scam websites where their new passwords would be captured and used to steal their identities.

The other big takeaway: If you used the same password on LinkedIn or eHarmony as you did on other sites, you have to change those too, because they are probably in the hackers' hands as well. Sorry, Charlie.

And if you think all that was pretty stupid, get a load of this. Yesterday, the FTC announced it would sanction two businesses for leaking sensitive customer data via P2P networks.

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies