LinkedIn recently issued a statement saying that a 2012 data breach thought to have exposed 6.5 million passwords was likely to have affected more than 117 million of its users. The professional business networking company said that in response, they are forcing password resets for users who are believed to be part of the security breach.
The information was first published by a hacker who released a list of 6.5 million unique passwords on a forum wherein members volunteer or were hired to hack complex account passwords. Members of the forum succeeded in cracking the passwords to the LinkedIn accounts – even noticing a trend in some of the passwords where they had a variation of the “LinkedIn” name in the password.
The company’s solution to this hack was forcing all 6.5 million affected users to reset their passwords. Reports were published a few days ago saying that an online cybercrime sale was taking place – a seller was offering 117 million stolen accounts from the 2012 security breach. LeakedSource, a paid hacked data search engine, also came out saying they have a searchable database of the 117 million affected accounts.
LinkedIn responded to this event by repeating what they did before, asking the affected portion of users to reset their passwords.
Cory Scott posted this statement on LinkedIn’s blog: “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.”
A 2012 data breach exposed more than 117 million LinkedIn users – with their personal information made available online.
Hani Durzy, LinkedIn’s spokesperson, stated that they have a copy of the database of 117 million users, and that they think it is legitimate. “We believe it is from the 2012 breach. How many of those 117 million are active and current is still being investigated,” Durzy added.
Experts believe that the 117 million figure makes sense as the company boasts of more than 400 million users but only about one-fourth of those accounts are considered to be active. Security consultancy firm’s co-founder Alex Holden was among the first to find out about the original lot of 6.5 million hacked accounts. It was originally found on the Russian hackers’ forum InsidePro.
The 6.5 million passwords were encrypted and unique – while also not including any passwords that were simple to crack with basic tools or means. Holden added, “These were just the ones that the guy who posted it couldn’t crack. I always thought that the hacker simply didn’t post to the forum all of the easy passwords that he could crack himself.”
Of the 117 million encrypted passwords exposed in the data breach, only 50 easy-to-guess passwords made up more than 2 million of the accounts – according to LeakedSource. Passwords were stored in SHA1 with no salting, meaning there was no additional security added – a practice not up to Internet standards. “Only 117M accounts have passwords and we suspect the remaining users registered using Facebook or some similarity,” added LeakedSource.
SHA1 is a type of hashing (obscuring and storing) plain alphanumeric passwords. This is done by running the password through a one-way mathematical algorithm that converts it into a string of gibberish numbers and letters that is ideally a challenge to decode.
This approach tends to be weak in a sense since hashes are “static”; a “12345” password would always convert to the same password hash combination. On top of this, there are numerous tools that are capable of easily mapping these codes to common dictionary words; names and phrases which essentially contradict the hashing process’ effectiveness. Since computer hardware are getting cheaper these days, hackers can easily build machines that can compute millions of password hashes by the second for each user account.
By salting, or adding a unique element to each password, database administrators can immensely complicate the hacking process for the cybercriminals who have the stolen information and rely on cracking passwords through automated tools.
LinkedIn stated that they added salting to their password hashing function after the 2012 data breach. But for LinkedIn users who haven’t changed passwords since then, their passwords might not have the added salting capabilities according to some experts.
It is highly recommended to change your LinkedIn password, especially if you have not changed it in a while. Also, if you have logged into your LinkedIn account through other websites, it is also a good idea to change these too. This LinkedIn security breach reminds us that using the same passwords for multiple sites that hold your personal or financial information is definitely not the best idea.
LinkedIn came out with an update on May 23rd: “We’ve finished our process of invalidating all passwords we believed were at risk. These were accounts that had not reset their passwords since the 2012 breach. We will soon be sending more information to all members that could have been affected, even if they’ve updated their password.”
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.