In a defensive blog post, LinkedIN stressed that its “world-class security experts” have been “working around the clock” on the breach.
LinkedIn said that once it determined on June 6 that LinkedIn passwords had been stolen, it immediately disabled the passwords that had been decoded and published on the internet. The next day, LinkedIn disabled all passwords that had been published that the company believed crated risk for users.
The company stressed that there had been no reports of compromised LinkedIn accounts as a result of the password theft and that it continues to work with law enforcement on investigating the breach.
LinkedIn said that it has completed a “long-planned” transition from a database system of password hashes to one of passwords containing both hashes and salts, which provide an added layer of security. This transition apparently was accelerated by the breach of 6.5 million unsalted password hashes.
Responding to criticism that LinkedIn does not have a chief security officer or chief information security officer, the company said that its security czar, Ganesh Krishnan, is the de facto CISO and reports to David Henke, senior vice president of operations.
“Some corporate governance experts recommend that corporations officially name Chief Information Officers and Chief Information Security Officers. LinkedIn historically has limited C-level titles only to its Chief Executive Officer and Chief Financial Officer, so while Krishnan does not formally have the title of Chief Information Security Officer, that is the role he has played at the company since his hiring in 2010”, LinkedIn explained.