This article is more than 1 year old
LinkedIn plays down '117 million users' breach data sale
All encryption isn’t created equal, says expert
LinkedIn has responded to the recent sale of users’ data - apparently the fruits of a 2012 breach - on the dark web.
As previously reported, a black hat hacker using the nickname Peace is attempting to sell 117 million LinkedIn users' emails and passwords on the dark web. "Peace" wants 5 BTC for the trove of private info which he claims is the fruit of a well-publicised LinkedIn breach back in 2012. Early indications from security experts such as Troy Hunt were that the data is genuine.
The social network for suits said "no indication that this is result of a new security breach" even though the exposure of credentials has increased from a previously admitted 6.5 million records spill to a 117 million avalanche. In a statement on Wednesday, LinkedIn said it intended to apply a password reset to potentially compromised accounts, something that would partially address the problem once it is applied. It urged users to enable two-step verification to further protect their LinkedIn accounts.
In 2012, LinkedIn was the victim of an unauthorised access and disclosure of some members' passwords. At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorised disclosure. Additionally, we advised all members of LinkedIn to change their passwords as a matter of best practice.
Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.
We take the safety and security of our members' accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible.
Security vendors said the incident illustrates that security breaches can run deeper than they initially seem to do, as well as illustrating the value of login credentials - especially to social media sites - in the hands of hackers.
David Kennerley, senior manager for threat research at anti-malware firm Webroot, said: “It’s no secret that LinkedIn is a rich pool of data and there’s no doubt this made it an extremely attractive target for the hacker. Although some steps to mitigate the problem such as resetting passwords of affected accounts were taken by LinkedIn at the time of the initial breach in 2012, the inability to accurately predict the scale of the problem has resulted in far more users being affected than should have been.”
Rob Norris, director of enterprise and cyber security in EMEIA at Fujitsu, commented: “The fact that hackers have revealed details of 117 million LinkedIn users, including passwords and user IDs, highlights the value of personal data, even years after a data breach has taken place. Cyber criminals are entrepreneurial, well-sourced and motivated and this once again demonstrates a how capable hackers are in getting what they want.”
Trent Telford, chief exec at Covata, added: “The fact that such a huge number of credentials have been available to hackers for so long is deeply worrying, not least because it’s common knowledge that consumers tend to use similar – or indeed, the same – passwords and usernames across a number of sites. It’s also concerning that LinkedIn underestimated the scale of this breach and points to the need for better investigative tools once a breach happens.
“What’s more, while the passcodes were protected with a level of encryption, it’s clear that this was no where near robust enough to properly protect user details… If this latest breach teaches us anything, it’s that all encryption wasn’t created equal,” Telford concluded. ®