In 2012, 6.5 million login credentials were stolen for LinkedIn accounts and leaked online. However, the data breach was found to be much worse than originally thought when a hacker named “Peace” decided to sell the credentials of 117 million LinkedIn users for $2,200 on the dark web. Peace told tech site Motherboard that the credentials were stolen during the 2012 breach.
In 2012, LinkedIn had a total of 161 million users. By stealing 117 million credentials, they managed to victimize 73% of the site’s members. This is huge. The LinkedIn hack now surpasses some of the biggest data breaches of the past couple years including Ashley Madison and Anthem health insurance.
When security researchers studied the passwords, they found that they were not encrypted correctly, making them quite simple for hackers to crack. LeakedSource, a search engine for hacked data, managed to crack 90% of the passwords within 72 hours. The original passwords were encrypted with the SHA1 algorithm and no “salt,” a series of random characters attached to the end to make the password more difficult to crack. The salt is crackable, but it buys time for users and allows them to go and change their current password before hackers are able to decipher it.
When the data breach occurred back in 2012, LinkedIn did nothing to alert their users about the scale of the breach. Kevin Shabazi, a security expert and CEO of LogMeOnce, told MakeUseOf.com, “If LinkedIn had taken corrective measures back then, forced a password change, and then worked with the users to educate them about security best practices, then that would have been OK”.
It is unclear is LinkedIn knew about the full extent of the data breach back in 2012. Either way, they are responsible for storing their users’ data in an unsecure manner and for responding to the data breach incorrectly.
What LinkedIn Users Should Do
LinkedIn users also share some of the responsibility in protecting themselves, especially if they share their LinkedIn password with other accounts such as email and Facebook. LeakedSource gave a breakdown of the most commonly used passwords. The top password used by a whopping 753,305 of users was 123456. After that some widely used passwords were linkedin, 123456789, 12345678, and 111111, according to ArsTechnica.
All users of LinkedIn (not just those who had an account in 2012) should log into their account, go to their settings and immediately log out of all sessions. Then, they should log back in and change their password. The new passwords needs to be strong with upper and lower case letters, numbers, and special characters. To generate a strong password, users can employ a random password generator or they can create a sentence with their password. Shabazi said that a password like “$_I Love BaseBall$” would take around 5 septillion years for a hacker to crack. That’s pretty secure!
When available, users should implement two factor authentication. This means that both a password and a randomly generated token (sent to your phone) must be used to log in. These two layers of protection make it almost impossible for a cyber criminal to log in to an account - even if they have the password.