This Month Only! >> $20 off and a FREE SHRM tote with your membership and code TOTE2018!
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Are your employees using the same passwords for work and personal accounts?
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
The recent sale of online user data stolen from Myspace and LinkedIn highlights the need for human resource information technology professionals to make certain that employees aren’t using the same passwords for work and social media.
Time Inc., which owns Myspace, confirmed May 31 that the social networking site was hacked and that passwords, e-mail addresses and user names are now for sale online.
More than half a billion passwords have been stolen from Myspace, and 165 million LinkedIn accounts were compromised in May. Experts say the Myspace data was apparently stolen and sold by the same individual who hacked LinkedIn.
“While many people may feel Myspace isn’t as popular as Facebook, Twitter, etc., the bigger problem is password reuse,” said Dodi Glenn, vice president of cyber security at PC Pitstop, a security software company based in Sioux City, Iowa.
“With username and password reuse, an individual may use the same e-mail address or username and password on site A that they would use on sites B and C,” he said. “When site A gets compromised, the hacker uses an underground tool to check other various sites to see if this account login and password combination exists elsewhere.”
Company leaders have to make sure employees know not to use the same passwords at work that they use to access other systems, experts say.
According to a survey by password management app Password Boss, 59 percent of consumers use the same passwords to access multiple accounts because it’s too hard to remember a different password for each account. The average professional memorizes 19 passwords between personal and work accounts, according to another study.
As SHRM Online reported last year, 54 percent of those surveyed by Software Advice said that “their employers require them to use complex passwords; 51 percent are required to change their passwords regularly; 41 percent said they are locked out of their computer after too many failed attempts at entry; 39 percent are forbidden from reusing passwords; and just 29 percent are prohibited from using the default passwords that come with a system.”
Said Lesley Fair, a senior attorney at the Federal Trade Commission, which enforces corporate data security, “If you have personal information stored on your network, [then] strong authentication procedures, including sensible password hygiene, can help ensure that only authorized individuals can access the data.”
Added Glenn: “The use of weak passwords and unencrypted database passwords still presents a serious security problem to individuals and companies alike, and it’s one of the top causes of data breaches.”
Details of the Myspace Hack
“Shortly before the Memorial Day weekend, the Myspace technical security team became aware that stolen Myspace user login data was being made available in an online hacker forum,” according to a news release from Time Inc. “The compromised data is limited to a portion of Myspace usernames, passwords and e-mail addresses from the old Myspace platform prior to June 11, 2013—when the site was relaunched with significant steps to strengthen account security.”
The hacked Myspace information is currently for sale at the price of six bitcoin (worth about $2,800), online news site Vice reported.
Link to the LinkedIn Hack
According to PC Pitstop, the hacker responsible for the Myspace breach is the same one who sold the data of more than 165 million LinkedIn users in early May. Known as Peace, this hacker now claims to have more than 400 million e-mail addresses and passwords of Myspace users—“making it possibly the largest leaked password breach ever,” PC Pitstop stated in a news release.
Before Time confirmed the Myspace hack, the breach was initially announced in a blog post by the new search engine for leaked data, LeakedSource, on May 27. LeakedSource scours the Internet for data and accumulates hundreds of databases, allowing users the “ability to search and find whether their data is available online or not,” according to its website.
“The Myspace breach does not affect any of Time Inc.’s systems, subscriber information or other media properties and does not appear to include financial data of any kind,” Time stated in its news release.
Myspace says it is “notifying all affected users and working proactively with law enforcement authorities to resolve this issue. Myspace has also invalidated the passwords of all known affected users and is monitoring for suspicious activity that might occur on Myspace accounts.”
Because LinkedIn, the largest resume database in the world, is used by tens of thousands of recruiters worldwide, this breach should be especially concerning to HR professionals. When that hack was revealed, LinkedIn reportedly invalidated the compromised account passwords and alerted its 400 million users about the importance of choosing strong passwords.
“On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk,” LinkedIn stated in a news release.
Aliah D. Wright is an online editor/manager for SHRM.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 10,000 companies