Lynda.com, the online learning unit of LinkedIn, has reset passwords for some of its users after it discovered recently that an unauthorized external party had accessed a database containing user data.
The passwords of close to 55,000 affected users were reset as a precautionary measure and they have been notified of the issue, LinkedIn said in a statement over the weekend.
The professional network is also notifying about 9.5 million Lynda.com users who “had learner data, but no protected password information,” in the breached database. “We have no evidence that any of this data has been made publicly available and we have taken additional steps to secure Lynda.com accounts,” according to the statement. Here is the email that was sent:
“We recently became aware that an unauthorized third party breached a database that included some of your Lynda.com learning data, such as contact information and courses viewed. We are informing you of this issue out of an abundance of caution.
Please know that we have no evidence that this data included your password. And while we have no evidence that your specific account was accessed or that any data has been made publicly available, we wanted to notify you as a precautionary measure.
If you have questions, we encourage you to contact us through our Support Center.
The Lynda.com team
Lynda.com was acquired a little while ago by LinkedIn for US$1.5 billion in a cash and stock deal. And then LinkedIn was in turn acquired by Microsoft this month for the all-cash transaction worth US$26.2 billion.
The breach at Lynda.com comes a little after Yahoo said last week that data relating to over a whopping 1 billion user accounts had been stolen in 2013. This is the second big breach reported by Yahoo, with the other affecting at least 500 million users.
Graham Cluley, who is more or less the Indiana Jones of insecurity reporting, wondered whether this is a hack in the traditional sense, whatever that means anymore, or whether it is based on the findings of a security researcher who uncovered a vulnerability and harvested it.
He’s also a bit miffed that the Lynda website isn’t making a big deal about the problem. This kind of obvious ignoring of hacks is a bugbear of his, which perhaps explains the big dig he gives LinkedIn at the end.
“The wording of the email is a little odd, and makes me wonder whether this was a traditional hack’ or more a case of a security researcher stumbling across a user database on a server that shouldn’t have been publicly accessible, or found a vulnerability that allowed them to access user information,” he said.
“Disappointingly, I was unable to find any reference to the data breach on the Lynda.com website. I always think breached sites should post an online notice so users can confirm the incident, rather than blindly trust an email received in their inbox. Regular readers will recall that LinkedIn is no stranger to database breaches”.