I received two e-mails in recent days from online training provider Lynda.com customer care, this is because I have had two accounts with Lynda.com in the past. Both were set-up when they had a 30 day free trial offer, which I made use of.
I’m one of the 9.5 million customers/former customers of Lynda.com who have been contacted by them about a breach of their data security. They state that my contact information and courses taken were compromised, however they believe my password was not compromised. Here is the text of the e-mail:
We recently became aware that an unauthorized third party breached a database that included some of your Lynda.com learning data, such as contact information and courses viewed. We are informing you of this issue out of an abundance of caution.
Please know that we have no evidence that this data included your password. And while we have no evidence that your specific account was accessed or that any data has been made publicly available, we wanted to notify you as a precautionary measure.
So this doesn’t sound so bad. Right?
Nope. They have my contact information, so they have my name, e-mail address and mobile phone number. That means I could be targeted for phishing or even worse spear phishing. I tried to see if I could delete my Lynda.com account, but nothing obvious jumped out at me. I must check their online help and if there is nothing there, I will be contacting their “customer care” to try to get rid of these accounts.
There were 55,000 people who have been contacted by Lynda.com customer care telling them that their passwords have been compromised and so Lynda.com have forced a reset of their password.
I actually don’t care about my password, the hackers would be welcome to it, as that is unique to my Lynda.com account, I would not have used it anywhere else. However, to use their terms, out of an abundance of caution I have changed my passwords on the two accounts I have, to some complete gibberish that even I won’t remember. I’ve stored them in my password manager.
So what lessons can be learnt here:
- Don’t re-use passwords … Get training from L2 Cyber Security Solutions or use a password manager.
- If you sign up for free trials of services, but don’t continue with them, then have your account deleted/removed after you finished.
- If they don’t allow that (they may need to hold on to your e-mail address in order to make sure you don’t sign up again and again with the same e-mail), then try to have as much other personal information as possible removed from their site (name, address, date of birth, telephone numbers, etc.)
- Again, if you cannot remove the account, then before you stop using it, set the password to something completely nonsensical and don’t bother with it ever again.