Subscribe

2012 breach haunts LinkedIn

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 26 May 2016
LinkedIn is aware data stolen from it in 2012 is being made available online.
LinkedIn is aware data stolen from it in 2012 is being made available online.

Business-oriented social networking service LinkedIn has acknowledged cyber criminals are selling data it lost in a 2012 breach.

The passwords (without usernames) were leaked on a Russian forum in SHA-1 (hashed) format. After investigating the matter, LinkedIn confirmed that at least some of the passwords did correspond to LinkedIn user accounts. The company did not reveal exactly how many passwords were compromised.

Last week, a Web site called Motherboard reported that a hacker going by the name "Peace" was looking to sell e-mails and passwords for 117 million LinkedIn users stolen in the 2012 breach.

According to the site, at the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach.

It adds Peace is selling the data on the dark Web illegal marketplace The Real Deal for five Bitcoin (around $2 200). The paid hacked data search engine LeakedSource also claims to have obtained the data.

Both Peace and one of the people behind LeakedSource said there are 167 million accounts in the hacked database. Of those, around 117 million have both e-mails and encrypted passwords.

This morning, the social networking site wrote to users saying: "You may have heard reports recently about a security issue involving LinkedIn. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you."

It says on 17 May 2016, LinkedIn became aware that data stolen from it in 2012 was being made available online. This was not a new security breach or hack, it notes.

"We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach.

"We invalidated passwords of all LinkedIn accounts created prior to the 2012 breach that had not reset their passwords since that breach. In addition, we are using automated tools to attempt to identify and block any suspicious activity that might occur on LinkedIn accounts. We are also actively engaging with law enforcement authorities," says LinkedIn.

The social network says it has taken significant steps to strengthen account security since 2012. For example, it notes, it now uses salted hashes to store passwords and enable additional account security by offering members the option to use two-step verification.

"We have several dedicated teams working diligently to ensure the information members entrust to LinkedIn remains secure. While we do all we can, we always suggest our members visit our Safety Centre to learn about enabling two-step verification, and implementing strong passwords to keep their accounts as safe as possible. We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend you set new passwords on those accounts as well."

Share