* Experts say breach may be more serious than disclosed
* Dearth of information leaves some customers unhappy
* LinkedIn trades at lofty premium to most tech stocks
By Jim Finkle and Jennifer Saba
June 8 LinkedIn Corp's silence on the
extent of a security breach that exposed millions of user
passwords has damaged its reputation among some business
professionals, and may slow the growing company's rise if the
breach turns out to be more serious than disclosed.
Several days after news of the theft of the passwords
emerged, the site with more than 160 million members still says
it has yet to determine the full extent of the breach.
Some cyber security experts say LinkedIn did not have
adequate protections in place, and warn that the company could
uncover further data-losses over coming days as it tries to
figure out what happened.
LinkedIn has hired outside forensics experts to assist as
company engineers and the FBI seek to determine how more than 6
million customer passwords turned up on underground sites
frequented by criminal hackers.
Company spokesman Hani Durzy said LinkedIn has invalidated
the stolen passwords, even though it does not know if any other
account information was stolen besides passwords.
The dearth of information has left some security
professionals and customers worried that LinkedIn's computer
systems may have suffered a more serious breach.
"There is going to be more to come," said Jeffrey Carr,
chief executive of security firm Taia Global. "As long as they
don't know what happened here, there is a good chance that it is
more widespread than originally thought."
Customers whose passwords were among those stolen were still
getting notified by LinkedIn as of Friday afternoon, days after
news of the breach first surfaced.
Laura DiDio, a technology analyst with a consulting firm
known as ITIC, said that was not fast enough.
"I am angry," she said. "As soon as there was an inkling
that there was a breach, they should have been all over this. I
want to know what they are doing to correct this situation."
Some security experts say the company's data security
practices were not as sophisticated as one would typically
expect from a major Internet company.
For example, they noted that LinkedIn does not have a chief
information officer or chief information security officer.
Those are positions that typically supervise technology
operations and computer security at large corporations.
Company spokeswoman Erin O'Hara said the company did not
have managers with those titles, but that its senior vice
president for operations, David Henke, oversees LinkedIn's
Several experts said the company fell down in the way it
encrypted, or scrambled, the passwords that were stored in the
Carr of Taia Global said LinkedIn did not follow an industry
standard for encryption, which requires use of a technique known
as "salting" that greatly increases the amount of time and
computer power needed to crack an encrypted password.
There could be legal repercussions for that failure to
comply with industry standards, said Gerald Ferguson, an
attorney at Baker Hostetler who is an expert on privacy and
intellectual property law.
He said that LinkedIn could face lawsuits if accounts had
standard for security.
"If they can demonstrate that information hadn't been
comprised, that would certainly give them a defense," Ferguson
Company representatives declined to respond to the criticism
of their techniques for protecting passwords or any potential
Their user statement spells out the steps it will take to
protect customer data and the risks customers face.
"Personal information you provide will be secured in
accordance with industry standards and technology," according to
"Since the Internet is not a 100 percent secure environment,
we cannot ensure or warrant the security of any information you
transmit to LinkedIn," it cautions. "There is no guarantee that
information may not be accessed, copied, disclosed, altered, or
destroyed by breach of any of our physical, technical, or
LinkedIn is a natural target for data thieves because the
site stores valuable information about millions of
professionals, including well-known business leaders.
"This is the serious social networking site. This isn't the
one I got to see pictures of my friend's new dog," said Mary
Hildebrand, chair of the privacy practice area at the law firm
The way that the company responds to the theft will play a
critical role in determining the extent to which the incident
damages LinkedIn's reputation, experts said.
"LinkedIn has always claimed part of their strategy is
making a better user experience," said Jim Janesky, director of
research at Avondale Partners.
"If this were to comprise that in LinkedIn's users minds, it
could slow down the growth of new users or limit individuals as
Hemanshu Nigam, chief executive of security consulting firm
SSP Blue, said he advised all LinkedIn members to immediately
change their passwords after he heard news of the breach.
"I don't know how many emails I got from customers saying
'Thank you for telling me to change my password. I'm kind of
freaked out now,'" he said.
"Companies like this survive because of their reputation,"
added Nigam, who previously worked as a security executive at
Microsoft Corp and News Corp. "People need to
make a decision: 'Can I trust them with my data or not?'"
LinkedIn shares rose 2.6 percent to $96.26 on Friday. While
the breach has not appeared to hurt the stock to date, investors
are likely closely watching the matter because the stock carries
one of the loftiest valuations in the technology sector.
LinkedIn made a monster public debut in May 2011 and is
still trading at more than double its IPO price of $45.
The shares are trading at nearly 80 times projected 2013
earnings. Google trades for about 12 times next year's earnings
Rob D'Ovidio, associate professor of criminal justice at
Drexel University, said it is fair to criticize LinkedIn for the
"There is a social responsibility that they have in today's
day and age to use the best available security measures," he
said. "I am of the personal belief to hold companies liable for
these types of breaches."