Surprise! The world learned this morning (June 13) that Microsoft will buy LinkedIn for $26 billion. That's a bit creepy, since the world's biggest software company will now hold the resumes of some 400 million individuals. But let's look at the bright side: Microsoft will make LinkedIn's dismal security much better.
Let me be frank: LinkedIn doesn't know how to protect its users. The site's user database was plundered in June 2012, but the company admitted the data breach only after 4.5 million email addresses and scrambled passwords showed up for sale on criminal web forums. Worse, those passwords were very poorly scrambled, or "hashed," and were quickly cracked.
Four years later, the true number of LinkedIn user accounts affected by the 2012 breach turned out to be 117 million, or pretty much LinkedIn's entire user database in mid-2012. Thanks to password reuse, this breach affects more than just LinkedIn accounts. If you were recently told that you needed to reset your Netflix password, the 2012 LinkedIn breach is probably to blame.
Again, LinkedIn only admitted the full extent of the 2012 data breach after the full set of 117 million accounts started showing up in online criminal forums. And even then, it waited a week to notify its users.
This is incredibly negligent. Why didn't LinkedIn discover the full nature of the breach back in 2012? Why didn't it hire a competent breach-investigation firm that would have uncovered the truth? Why didn't LinkedIn reset ALL user passwords in 2012, instead of only those that it could verify had been affected? Why isn't an aggressive lawyer mounting a class-action lawsuit on behalf of affected users?
Now let's talk about Microsoft. My family recently got an Xbox One. The security restrictions in Windows 10 are pretty stringent, but those on the Xbox One are insane. It took about an hour to set up my son's user account.
I had to log into my own Xbox account, log into my Microsoft account on my computer, enter a verification code sent to my phone, create my kid's Xbox account, have HIM enter a verification code emailed to HIS phone, go back to my computer to add a credit card to my Microsoft account, pay 50 cents to admit that my son is under 18, then enter another texted verification code.
The directions often weren't clear about which of us had to enter data, and we had to repeat many steps. With procedures like that, the LinkedIn hackers would have given up trying to hijack people's accounts pretty quickly.
And that's the point. Security needs to be hard. Accounts need to be difficult to break into. Passwords need to be impossible to crack. Databases need to be impenetrable.
LinkedIn, four years after its devastating data breach, still doesn't get this. Microsoft does. That's why I'm much more comfortable having Microsoft hold my personal data.