2012 LinkedIn Data Breach Reboots, Affects 117 Million

By Doug Mohney
Contributing Editor

LinkedIn (News - Alert) says roughly 117 million of its members may have had their email and password combination leaked, stemming from a security breech back in 2012.  Embarrassingly, the credentials are currently up for sale on the Dark Web for a paltry $2,200, according to an ArsTechnica report.  The only winners here seem to be security consultants offering up free advice on how to protect yourself if you have been compromised.

Troy Hunt, Microsoft (News - Alert) Regional Director and MVP for Developer Security, first tweeted about the  millions of LinkedIn records being offered up for sale for 5 bitcoins on a Dark Web trading site on the evening of May 17.  Motherboard reports that a hacker calling himself "Peace" is selling the data hoard on The Real Deal dark web site, with 167 million accounts in total and around 117 million records having both email and encrypted passwords.  Another party supplied Motherboard with a sample of nearly one million records, including email address, hashed passwords and corresponding hacked passwords.

Compounding matters, LinkedIn originally encrypted passwords with the SHA1 algorithm but without a "salt" to make it harder for hacking.  Cryptogeeks called out SHA1 as compromised back in 2005, according to Wikipedia, with many organizations starting to call for replacement it with SHA-2 or SHA-3 by 2010. LeakedSource, the party that supplied Motherboard with the record sample, said they had cracked 90 percent of the passwords in 72 hours.

LinkedIn's chief information security officer Cory Scott confirmed the validity of the breech via a blog post on the company's website around 12:30 p.m. ET on May 18. The blog went on to say that the company was taking "immediate steps" to invalidate the passwords of the accounts impacted and to contact affected members to reset passwords.

Scott went on to encourage users to learn about enabling two-step verification and to use strong passwords in order to keep accounts as safe as possible.  Automated tools are going to be used to attempt to identify and block and suspicious activity that may occur on affected accounts.

Third-party security experts are calling for users to change their LinkedIn passwords and pumping out plenty of other measures.

" LinkedIn is work related, so many employees of an enterprise will use their exact work credentials, username and password for their LinkedIn account," said John Gunn, VP of Communications, VASCO Data Security. "This means that the hackers and their eventual buyers could have the login credentials for many millions of enterprises employees. No one should ever use their work password for any other account and everyone should be using a second factor of authentication when security matters. It may seem obvious, but to be safe, everyone with a LinkedIn account should reset their password, now".

Some are taking a harder line as to what LinkedIn has done since the initial breech.  "If LinkedIn has not upgraded the security of their network, website, and protection of their databases since 2012, I strongly recommend they do so immediately," said Craig Kensec, security expert, Lastline. " Cyber criminals' capabilities to create tools to breach networks are advancing at a speed that would put Olympian Usain Bolt to shame."

"Has LinkedIn been fully transparent with it users? Hopefully, users changed their passwords on the initial disclosure, but in the light of this news a stronger response should have ensued. , Brad Taylor, CEO, Proficio commented. "Second, if LinkedIn is only now discovering the scale of data that was exfiltrated from their systems, what went wrong with the forensic analysis that should have discovered this?"

If you are looking for advice on how to handle your LinkedIn account, change your password if you already haven't done so.  I'm not sure about handing more data to the company, even if they are calling for two-step verification via phone number for additional security.  It seems prudent to wait until it is clear LinkedIn has its act together.