The LinkedIn Hack of 2012 is the Hack that just keeps on giving. Reports say 117 Million Hacked LinkedIn Accounts Are Being Sold On the Dark Web.
I am sure the Ashley Madison hack was pretty devastating for those involved in extracurricular activities but the LinkedIn Hack really brings it home, this could be me!
The 2012 LinkedIn hack may be the breach that just keeps on giving with the news that 117 million customer email credentials originating from that hack were found for sale on the dark web prompting the professional social network to invalidate the account passwords.
The initial story came from Motherboard, which reported it was contacted by someone going by the name “Peace” who said he was selling the data set on an illegal market place called The Real Deal for 5 Bitcoins, or about US$2,200. The 117 million credentials come from a larger 167 million data dump of accounts that were supposedly grabbed when LinkedIn was breached in 2012.
“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,” Cory Scott, LinkedIn CIO, said in a blog post, adding the customers impacted will be contacted.
Here’s a (sad but entertaining) tally of the most common passwords the site said it unscrambled in the hacked dataset, according to Leaked Source’s analysis. The chart lists 2.2 million instances of passwords, less than 2% of the total cache.
At the time of the 2012 incident, which was believed to have impacted about 6 million accounts, LinkedIn required a mandatory password reset for the accounts it believed were compromised. It goes without saying that any of the passwords listed in the above chart are poor choices for securing online accounts. Security experts recommend using a password manager to help generate and store complex, lengthy passwords. They also recommend never reusing passwords across multiple sites and always opting in for two-factor authentication, a feature that ties an additional security code to a user’s device and requests it upon login.
Experts Comment on LinkedIn Hack
Amit Ashbel, Checkmarx director of product marketing and cyber security evangelist, said LinkedIn’s poor handling of its customer’s data four years ago lead directly to today’s situation. Past mistakes come back to haunt us… The data up for sale did not include payment card information or Social Security numbers, but even email addresses can have value to a criminal, particularly one willing to put in the time and effort to tie these data points to others that can be found on the web.
Making a bad situation worse for LinkedIn and its customer base is that even this latest revelation may not be the end of the story that started with the 2012 data breach. Ashbel noted that it is a common practice among hackers to hold back some information from a hack, sort of like using the data to create an annuity for the criminal.
“The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder,” he said.
Pierluigi Stella, CTO, Network Box USA says: LinkedIn is a business platform, it’s not Facebook. All users of LinkedIn should be well aware of issues such as this, know how to behave, and when to change their passwords. If I recall correctly at the time, we heard some passwords were as simple as the widely used 12345. Although I find it hard to believe because LinkedIn does have password rules and you can’t really set up simple strings as passwords, this still goes to show that some people never learn. On the other hand, though, what perplexes me is why hackers would sit on this data for 4 years. Four years later, that information is likely stale; and again, if it isn’t, if someone hasn’t changed their password, they should have had their account locked.
I really have zero tolerance, zero mercy for such behavior. This is 2016, and we all know how easy it is to be hacked. We all need to adopt a proper and secure behavior. People, change your passwords!! So that huge database will be completely obsolete!”