Posted on Jun 30, 2016
In 2012, various news reports announced that LinkedIn had suffered a data breach. The initial estimates of leaked passwords were 6.5 million and LinkedIn’s own blog announced that as a result, they would contact members with compromised accounts to rest their passwords. News outlets encouraged all users to change their passwords just to be sure and months later, it seemed like the worst was over for LinkedIn.
The initial 6.5 million estimate ballooned to over 100 million when it was reported that a hacker named ‘Peace’ was selling user accounts and password data on a dark web marketplace. LinkedIn eventually addressed the issue on their blog once more, taking the same action of contacting members and invalidating their passwords. However, as more details and reports surfaced, LinkedIn took more drastic actions, invalidating non-updated passwords for ALL accounts created prior to the breach. LinkedIn maintains that this new batch of data was the result of the 2012 breach and not a new data breach.
Due to the mass of the data breach along with other unfortunate factors, this breach will have ongoing consequences for LinkedIn users as well many other companies’ employees and clients.
The biggest danger with LinkedIn’s data breach, which was mentioned in the initial reporting of the 2012 attack, was that LinkedIn failed to salt their passwords. A salt is a random string of characters added to a password before cryptographically hashing them. Salting is used to make sure duplicate passwords don’t receive the same hash and to make hash-cracking difficult in case a breach occurs due to the added random string.
Unfortunately, due to the lack of salting, the passwords were quickly cracked, leading to a number of discoveries. Sophos had published a blog post noting that common passwords included ‘linkedin’, ‘linkedinpassword’, ‘p455w0rd’, and ‘redsox.’ Ironically, other commonly used terms were ‘sophos’, ‘mcafee’, ‘symantec’, and other tech and security-related terms. Troy Hunt noted that over 1.1 million users used the password ‘123456.’
Easy-to-guess passwords are problematic regarding LinkedIn’s case for a number of reasons. Password reuse is common among internet users. A Telesign study last year found that 73 percent of online accounts use duplicated passwords. The fact that so many easy-to-guess passwords are floating around means that if a malicious actor just obtains an email associated to a LinkedIn account, they can try to log into other accounts using the same email and a guessed password.
This was the case with Mark Zuckerberg when his social accounts were hacked. His LinkedIn password ‘dadada’ was tried in other places successfully. Github also experienced a similar attack, noting that unauthorized attempts were being tried on a large number of GitHub.com accounts using a list of emails and passwords that were obtained from other compromised online services.
However, there is another consequence resulting from the data breach that is only possible due to the mass amount of data leaked.
As Jeremi Gosney, Founder and CEO of Sahitta HPC, a password-cracking firm, reported in Ars Technica, password cracking provides analytical information that makes it easier to crack more passwords which, in turns, makes future password cracking easier in an “endless feedback loop.” He notes that because of the increased processing power available, the information provided by LinkedIn’s data dump is a kind of password bible that will allow ‘hackers to be 6 times better [at] cracking future data dumps.’
What this means for enterprise organizations is that both your customers and employees are now vulnerable vectors that hackers can exploit using the information from the LinkedIn data breach. Vigilance is absolutely necessary when it comes to data breaches, as hashes will be cracked faster than ever. As soon as a leak or breach is announced, you and your employees should take action immediately in order to mitigate any potential risk. Companies like GitHub, Citrix, and LogMeIn, have already proactively reset their customer passwords in order to prevent any malicious actors and a similar action is needed for at-risk employees as well.
While data breaches and leaked information pose a high risk to individuals, they pose an even greater risk to companies. Here is what you should do in order to prevent any more consequences to your company due to the LinkedIn data breach.
Corporate accounts shouldn’t be associated with any accounts that are not necessary for the company. This ensures corporate information on any level is kept at a minimum. The LinkedIn data breach shows us that estimated loss of data can be widely misreported and consequences can result years after an attack is announced. The best thing to do is minimize risk exposure and react quickly.
SecurityScorecard users can see whether their organization's passwords and other sensitive information, or that of their vendors have been exposed through the ‘Leaked Credentials’ security factor in the platform.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.