Last week, a hack many of us had forgotten about shot right back into the headlines. First, the background: in 2012, LinkedIn acknowledged it had suffered a data breach that exposed the passwords of 6.5 million of its customers. What we discovered last week, however, was that the breach was actually much bigger than anyone (including LinkedIn) thought.
Seemingly out of nowhere, a hacker by the name of Peace offered over a hundred million LinkedIn usernames and passwords gathered during the 2012 breach for sale on the Dark Web, 18x the number of exposed accounts LinkedIn had originally confirmed. Worse, they were being sold for cheap. As security researcher Troy Hunt put it, “for a mere 5 Bitcoins (about $2.2K) you could jump over to the Tor-based trading site…and retrieve what is one of the largest data breaches ever.”
The sheer size of this data breach is a head-turner, but the timing, the asking price for the stolen data, and the vast disparity in the estimated vs. actual number of breach victims all raise important questions.
Breaking down the breach
At the time of the original breach, in 2012, it was reported that roughly 6.5M accounts and passwords had been stolen. What has followed since is publicity around the compromise of an additional 100M+ usernames and passwords. These additional victims were not reported by LinkedIn, but rather by the hacker who claims to have originally stolen the data.
There have been plenty of data breaches since 2012, but the resurrection of this story makes it appear that either LinkedIn had no idea how many accounts were actually breached in 2012, defaulting to an estimate that now appears to be short by a significant amount, or that LinkedIn simply may have chosen to minimize the scope of this breach. Either way, this is a serious issue, as LinkedIn is a common source for information used in socially engineered attacks and phishing campaigns.
The low price point for all of this data is also instructive. With the selling price of the 117 million usernames and passwords at five Bitcoins — approximately $2,200 USD — the hacker clearly believes that individual passwords are not valuable enough to market separately. This is probably because most users have changed their login credentials in the four years that have passed since the initial breach, and because LinkedIn has forced many of them to do so.
What could someone do with this new data?
The most straightforward use for this data is to impersonate the victim on LinkedIn, providing a trusted connection to any number of LinkedIn associates. For example, there is a near perfect likelihood that messages from company executives would be opened by co-workers, subordinates, and partners. Through this message, an attacker could use short links and attachments to deliver ransomware, malware, or other forms of attack.
But the fallout of breaches like this isn’t confined to what the stolen data immediately enables an attacker to do. The information on connections and relationships that can be quickly collected on LinkedIn can also continue to be of value long after the affected user changes their password.
Are users to blame?
Not unless those users are somehow involved in the infrastructure that support LinkedIn authentication. The simplicity and speed with which the actual passwords were revealed, however, is another indicator that collectively, users don’t value privacy and security enough to take even the most basic steps to protect them.
It’s easier to blame LinkedIn for not enforcing better password policy, but as a security professional, that’s of no comfort to me. These simple passwords, easily guessed by automated cracking tools, don’t just jeopardize the users who used them, they also threaten anyone connected to those users through the LinkedIn platform. Beyond this, it is likely that the type of person who uses a simple password on LinkedIn is also using a simple password on a litany of other sites. An attacker who knows this has only to visit other popular sites (Twitter, Facebook, Amazon, etc.) and try the same combinations of user email and password.
What should LinkedIn users do?
In a message dated May 25th, LinkedIn reached out to users who were potentially affected, informing them that they had invalidated all passwords on accounts that had been in existence at the time of the breach and had not had a password change in the interim. If you currently use LinkedIn you should be changing your password regularly. It’s best practice to update passwords at least once a quarter to ensure you’re protecting yourself from the effects of these breaches. Breaches, even of large organizations like LinkedIn, can take weeks or months to detect, and updating your passwords regularly (and not using the same password across multiple accounts) can minimize the damage if that password is stolen and the theft goes undiscovered.
In the time between breach and recognition or action, forged credentials and compromised accounts can do plenty of damage. LinkedIn has the press today, because of the volume and business interest in their story. Any organization, though, can serve as a similar source of personal information and credentials for criminals, so develop habits that recognize the risk and mitigate the damaging outcome. Strong passwords, frequently changed, are easy guidelines to follow.