The LinkedIn Hack and Your SaaS Application Security

June 7th, 2012   /     /   Smarter Identity

I didn’t have long to wait for some good fodder for my first blog post here at OneLogin. My first day was yesterday. The same day that Linkedin confirmed reports that it had been hacked.  Sources around the web are claiming that the credentials of up to 6.5 million users have been compromised, which were first posted in a Russian hackers forum.  Linkedin still hasn’t given a specific number, but admitted in a blog post that “some of the passwords that were compromised correspond to LinkedIn accounts.”

Inevitable Security Breaches

The attack comes at a time when massive breaches have become inevitable and people continue to use weak passwords. Did you read VentureBeat staff writer Sean Ludwig’s article last week about the world’s largest ever password study? I didn’t read the study itself. I didn’t have to, Sean’s title said it all: “We are all idiots.”

Giants like Sony, Global Payments, Eharmony and others have all recently been hacked, resulting in the loss of sensitive user information. This, combined with the fact that most people use easy-to-hack passwords, and you’ve got a recipe for disaster. Why? Because the same username and passwords that hackers glean from social web apps can be used to infer your passwords to shopping sites, bank accounts and SaaS applications.

What can you do as a responsible user of consumer and business cloud applications?

  1. Change your password on LinkedIn and keep reading for more ways to secure your sensitive personal and business data.

  2. If you’re using passwords similar to your LinkedIn password across other consumer and business apps, then change those to distinct passwords.

    Need help coming up with strong passwords? You can use OneLogin’s password generator or read this guide to strong passwords.

    If you stop here, then you’re doing more than 79% of all internet users according to this ZoneAlarm Survey.

  3. Use a second, strong authentication factor beyond username and password. Free, strong authentication factors like OneLogin’s Mobile One Time Password App provide a unique password that expires after just one use.

  4. Businesses looking to further protect sensitive SaaS application data might consider other factors of authentication and user provisioning, including Microsoft Active Directory Integration to SaaS applications, as well as strong authentication solutions from Yubico, RSA, Symantec and VASCO.

Still not secure enough for you?

The Gold Standard for signing into cloud applications is SAML. Why? It completely eliminates all passwords and instead uses digital signatures to establish trust between the identity provider and the application. Many SaaS vendors already support SAML and you can SAML-enable your internal web apps in as little as 2 hours using one of OneLogin’s open source SAML Toolkits. SAML-enabling your app using other vendors can cost hundreds of thousands a year in fees, but are free to you as part of the OneLogin community.

I’m curious to hear your thoughts on all this. After all, I’ve only been here for one day!

About the Author

Elias Terman is a seasoned product and marketing leader with over 20 years of technology marketing experience including IT Security, enterprise software, and SaaS startups in the U.S. and abroad. Prior to OneLogin, he ran product marketing for SnapLogic, where he helped establish them as the leading independent cloud integration vendor. At OneLogin, He is responsible for product and partner marketing, as well as press and analyst relations.

View all posts by Elias Terman