终于！领英说清了大规模数据被盗事件

迟到总比不到好吧。在黑客盗走数百万用户名和密码四年后，领英终于决定宣布发生了什么。

上周三下午，领英用户收到了一封电子邮件，名为“有关领英账号的重要信息”，介绍了2012年黑客大规模入侵事件以及该公司的应对措施。

简而言之，这封电邮的内容是：“没错，我们被黑了。从2012年到现在你都没有换过密码，请注意旧密码已经作废。我们正在和执法部门合作保护用户信息安全。”

领英还建议用户采取一些基本的安全措施来保护账户：

除了竭尽所能保护用户隐私，我们建议用户务必到安全中心了解如何启用双重认证，使用强度更高的密码来尽量确保账号安全。推荐用户定期更换领英密码。如果大家在其他的在线服务中使用了相同或类似的密码，建议全都更换。

2012年的黑客事件闹得沸沸扬扬，领英的新闻之所以再次引起关注，是因为上周的媒体报道显示，数据被黑的程度远远超过了预期。

实际情况证明，当时的黑客事件涉及1.17亿对电邮和密码组合，而不只是之前报道里提到的650万对。所有泄露数据都在所谓的暗网上出售。

领英在周三的电邮中表示，上周才“知道”在网上能够买到2012年的被盗数据。听起来似乎有点儿牵强，因为盗窃数据基本上都是用来出售的。但我们愿意接受领英的解释。此外，和领英群发的其他电邮不同，这封邮件还是有点用的。

奇怪的是，领英并未在电邮里承认安全措施很糟糕，也未就此道歉。安全措施不够一般包括加密手段比较弱，比如未在加密算法中使用salt值，所以黑客很容易就能够破解用户的密码。

另一方面，安全专家特洛伊•亨特就近期新闻发表权威文章指出，2012年的黑客事件并非公司现任管理层的失误，他们只是收拾前任留下的烂摊子。

可以去网站https://haveibeenpwned.com查询在领英的登录电邮是否被盗（我的就被盗了）。同时为了安全起见，请不要再使用像12345、LinkedIn或者password等太容易被破解的密码。

译者：Charlie

审校：夏林

Better late than never, I suppose. Four years after hackers plundered millions of LinkedIn usernames and passwords, the company has decided to tell us what is going on, at last.

On last Wednesday afternoon, users received an email titled “Important information about your LinkedIn account,” describing the massive 2012 hack and what the company is doing about it.

The short version of the email is something like this: “Yup, they hacked us all right. And, in case you haven’t changed your password since 2012, we’ve cancelled those older passwords. We’re working with law enforcement to protect you.”

LinkedIn also suggests users adopt some basic security hygiene:

While we do all we can, we always suggest that our members visit our Safety Center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible. We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend you set new passwords on those accounts as well.

While the 2012 hack was widely publicized at the time, the reason news of it flared up again is because of reports last week that revealed the breach was much, much bigger than initially thought.

It turns out that the hack affected 117 million email and password combinations—not the 6.5 million reported in the past. Oh, and the whole batch of them are for sale on the so-called dark web.

In its email, LinkedIn claimed that it “became aware” last week that the data stolen in 2012 was being made available online. This seems a bit of stretch—the whole point of stealing data is typically to sell it online—but we’ll take them at their word. And, unlike so many other LinkedIn emails, this one is definitely useful.

Oddly, the email did not include any acknowledgement or apology for the dreadful security practices used by LinkedIn in the first place. These included poor cryptography, such as failing to “salt” the data, which made it easier for hackers to unscramble users’ passwords.

On the other hand, as security expert Troy Hunt reports in a definitive account of the recent news, the 2012 breach is not the fault of the company’s current leadership team, who are simply trying to clean up the mess left by their predecessors.

You can check this site to see if your email is one of those that got stolen in the LinkedIn hack here (mine was). And, for goodness sake, stop using silly passwords like 12345, LinkedIn, or password.