On May 21, security analyst Carl Leonard reported on Twitter a situation that involved LinkedIn’s security. The issue was related to users receiving certificate error alerts when attempting to visit the website. As Leonard investigated further, he noticed that the certificate for the URL shortener lnkd[.]in had expired. LinkedIn jumped in the Tweet thread and apologized for the issues. Eventually, it appeared that the situation was resolved, which the company expanded upon in interchanges with the media.
In an email sent to various cybersecurity media reporters, including Kacy Zurkus of Infosecurity Magazine, LinkedIn had this to say about the incident:
We had a brief delay in our SSL certificate update yesterday, which was quickly fixed, and member data was not affected.
This would perhaps not be as big of a deal if this was the first time that LinkedIn made this error, but it is not. (And the Microsoft-owned LinkedIn has been in the news for other security major problems in the past.) As Carl Leonard later stated in an interview quoted by Zurkus’ article:
Large organizations with hundreds of millions of users globally should be setting the standard for security practices and unfortunately this is the second time that LinkedIn failed to update their SSL certificate, effectively putting user data and privacy at risk.
Unfortunately, this lack of oversight is all-too-common for large companies. Whether it is not renewing certificates, or leaving exploitable holes in their network, cybersecurity practices in the corporate world are an endless point of frustration. As much as cybersecurity experts can try to educate and warn those who set policy in these organizations, there is simply only so much they can do. Corporate security teams and upper management have to want to meet us in the middle if we are ever to get cybersecurity incidents to reduce on a global scale.
The likelihood of this happening anytime soon, however, is not very promising.
Featured image: Pixabay