An open letter to the LinkedIn security team

Some questions I have

Dear LinkedIn secury team,

You just sent me an email telling me about the recent publishing on the internet of LI IDs and hashed passwords from 2012.

My sincere thanks for this notification. On the one hand, it’s very positive that LI acknowledges the situation.

On the other hand :

Why don’t you start by exacting from users that they use complex passwords (i.e. with at least one digit and one sign not being a letter) ?
Instead of asking for their phone number, which is much more privacy invading.

Also, why is it that the press has told about the leak days before you sent me this email ?

And finally, why is it that the accounts concerned dit not have their passwords reset in 2012, when the original leak happened ? Does that mean that you did not detect it at the time ?

Thanks for listening.

Sincerely,

E. Barthe

PS 1 : Don’t forget that the European General Data Protection Regulation (GDPR) will come into force in 2018. Although they are not automatic at all, it contains huge penalties for this kind of leak.
PS 2 : I know LI is not the only internet business having those massive data leaking problems. But that is no excuse. And those businesses should beware too the GDPR sanctions.