LinkedIn's training site, Lynda, was purchased by Microsoft this month.
LinkedIn's training site, Lynda, was purchased by Microsoft this month.

Lynda.com, the training site of LinkedIn, was hit by a breach that exposed the user passwords of a small percentage of users, around 55,0000 accounts, according to Endgadget.

Officials at Lynda.com said those passwords were "cryptographically salted and hashed," but the online learning division of LinkedIn – as of this month officially a subsidiary of Microsoft – reset logins as a precaution and notified customers.

“We recently became aware that an unauthorized third party breached a database that included some of your Lynda.com learning data, such as contact information and courses viewed," the company wrote in an emailed statement to affected customers.

Additionally, the site's nearly 10 million customers are being alerted "out of an abundance of caution."

The details behind the Lynda database hack are unclear for now, Henry Bagdasarian, founder of the Identity Management Institute (IMI), informed SC Media on Monday. IMI provides training and professional certification to its global members who are interested in identity management topics. "We just know that an unauthorized third party accessed the database but we don't know how they gained access or how Linkedin discovered the breach."

Linkedin also doesn't know or hasn't said what exactly was stolen other than personal information, Bagdasarian said. The company admitted that passwords may have been part of the stolen data, but the passwords were encrypted, he added.

The company tweeted on Dec. 17 that it is working with law enforcement to investigate.

"As users, we should all change our Lynda passwords regardless of password encryption," Bagdasarian advised. "Also, if users were using the same password to access other accounts, they should also change the password for the other accounts. In addition, if they have stored credit card data for purchases, they should remove them immediately in case their accounts are accessed with stolen data."

“Being breached is not a question of if but when," Jason Hart, CTO Data Protection, Gemalto, told SC Media on Monday. "In this increasingly digital world, organizations are storing greater and greater amounts of data that has varying levels of sensitivity. At the same time, as our last Breach Level Index proved, it's clear that data breaches are going to happen and that companies need to shift from a total reliance on breach prevention to strategies that help them secure the breach."

It appears that Lynda.com understood this and that attackers were only able to access a limited amount of data and that they have no evidence that this data included passwords, Hart explained. "When companies adopt a data-centric view of digital threats and use identity and access control techniques, such as multi-factor authentication and the use of encryption and key management to secure sensitive data, they are helping enable more secure breaches like this where, when the data is stolen, it is useless to the thieves.”

Other experts would seem to agree. "The solution to a lot of these issues would have been to turn on multifactor authentication," Ben Bernstein, CEO and co-founder of Twistlock told SC Media on Monday. "That's the annoying pop-up you get that asks you to type a text message every time you login. Being a usability nightmare, most people choose to take the risk."

Today, there are actually modern solutions that walk the fine line between not using multiple factors, and just using the username and password, Bernstein said. "They usually offer more options than just a phone text, and require the second factor only when a new device is detected, and/or when the system detects anomalies such as “time travel” (logging from Australia and the U.S. from the same device in a matter of minutes), or something that looks like an automated script trying to guess passwords."

From that perspective, the most advanced company is probably Google, he said. "While it has a large number of online services, it has a lower number of issues around username/password data breaches. It would be great if more companies adapt these advanced techniques to avoid having these breaches." 

Carpinteria, Calif.-based Lynda.com, which offers more than four thousand online training courses, was purchased for $1.5 billion by LinkedIn. The parent company was subsequently acquired for $26.2 billion by Microsoft earlier this month following approvals from regulators in the European Union, the U.S., Canada, Brazil and South Africa.