In 2012, LinkedIn was hacked by an unknown Russian entity, and six million user credentials were leaked online. Four years later, it’s transpired that the hack was far worse than we first expected. In a report published by Vice’s Motherboard, a hacker called Peace has been selling 117 million LinkedIn credentials on the Dark web for around $2,200 in Bitcoin.
While this episode is a continuing headache for LinkedIn, it will inevitably be worse for the thousands of users whose data has been splashed online. Helping me make sense of it is Kevin Shabazi; a leading security expert, and the CEO and founder of LogMeOnce.
Sitting down with Kevin, the first thing he did was emphasize the enormity of this leak. “If the figure of 117 million leaked credentials seems to look gigantic, you need to regroup yourself. In the first quarter of 2012, LinkedIn had a total of 161 million members. This means that hackers at the time did not just take 117 million records.”
“In essence they took away a whopping 73% of LinkedIn’s entire database of membership.”
These numbers speak for themselves. If you measure the data purely in terms of records leaked, it compares with other big-name hacks, like the PlayStation Network leak of 2011, or the Ashley Madison leak from last year. Kevin was eager to emphasize that this hack is a fundamentally different beast, however. Because while the PSN hack was purely to obtain credit card information, and the Ashley Madison hack was purely to inflict embarrassment on the company and its users, the LinkedIn hack “engulfs a business-focused social network into mistrust”. It could lead to people questioning the integrity of their interactions on the site. This, for LinkedIn, could prove to be fatal.
3d illustration of a large brass key lying in front of an upright blue LinkedIn logo with rivets
Especially when the contents of the data dump raise serious questions about the security policies of the company. The initial dump included user credentials, but according to Kevin, the user credentials weren’t encrypted correctly.
“LinkedIn should have applied a hash and salt to each password which involves adding a few random characters. This dynamic variation adds a time element to the password, that if stolen, users will have ample time to change it.”
I wanted to know why the attackers had waited for up to four years before leaking it to the dark web. Kevin acknowledged that the attackers had shown a great deal of patience in selling it, but that was likely because they were experimenting with it. “You should assume that they were coding around it while developing mathematical probabilities to study and understand user trends, behavior, and eventually password behaviors. Imagine the level of accuracy if you submit 117,000,000 actual inputs to create a curve and study a phenomenon!”
Kevin also said that it’s likely that the leaked credentials were used to compromise other services, such as Facebook and email accounts.
Understandably, Kevin is damningly critical about LinkedIn’s response to the leak. He described it as “simply inadequate”. His biggest complaint is that the company didn’t alert their users to the scale of the breech back when it happened. Transparency, he says, is important.
He also laments the fact that LinkedIn didn’t take any practical steps to protect their users, back when the leak happened. “If LinkedIn had taken corrective measures back then, forced a password change, and then worked with the users to educate them about security best practices, then that would have been OK”. Kevin says that if LinkedIn used the leak as an opportunity to educate their users about the need to create strong passwords that aren’t recycled, and are renewed every ninety days, the data dump would have less value today.
Kevin doesn’t recommend that users take to the Dark web to see if they’re in the dump. In fact, he says that there’s no reason for a user to confirm whether they’re been affected at all. According to Kevin, all users should take decisive steps to protect themselves.
It’s worth adding that the LinkedIn leak will almost certainly find its way to Troy Hunt’s Have I Been Pwned, where users can safely check their status.
So, what should you do? Firstly, he says, users should log out of their LinkedIn accounts on all connected devices, and on one device change their password. Make it strong. He recommends that people generate their passwords using a random password generator.
Admittedly, these are long, unwieldy passwords, and are hard for people to memorize. This, he says, isn’t a problem if you use a password manager. “There are multiple free and reputable ones, including LogMeOnce.”
He emphasizes that choosing the right password manager is important. “Pick a password manager that uses ‘injection’ to insert passwords in the correct fields, rather than simply copying and pasting from the clipboard. This helps you to avoid hack attacks via keyloggers.”
Kevin also stresses the importance of using a strong master password on your password manager.
“Choose a master password that is more than 12 characters. This is the key to your kingdom. Use a phrase to remember such as “$_I Love BaseBall$”. This takes about 5 Septillion years to be cracked”
People should also adhere to security best-practices. This includes the use of two-factor authentication. “Two-factor authentication (2FA) is a security method which requires the user to provide two layers or pieces of identification. This means you will protect your credentials with two layers of defense — something that you ‘know’ (a password), and something you ‘have’ (a one-time token)”.
Finally, Kevin recommends that LinkedIn users notify everyone in their network of the hack, so that they too can take protective measures.
The leak of over a hundred-million records from LinkedIn’s database represents an ongoing problem fora company whose reputation has been tainted by other high-profile security scandals. What happens next is anyone’s guess.
If we use the PSN and Ashley Madison hacks as our road-maps, we can expect cybercriminals unrelated to the original hack to take advantage of the leaked data, and use it to extort affected users. We can also expect LinkedIn to grovelling apologize to their users, and offer them something — perhaps cash, or more likely a premium account credit — as a token of contrition. Either way, users have to be prepared for the worst, and take proactive steps to protect themselves.