[BreachExchange] Another Day, Another Hack: 117 Million LinkedIn Emails And Passwords

Wed May 18 22:51:45 EDT 2016

http://motherboard.vice.com/en_uk/read/another-day-another-hack-117-million-linkedin-emails-and-password

A hacker is trying to sell the account information, including emails and
passwords, of 117 million LinkedIn users.

The hacker, who goes by the name “Peace,” told Motherboard that the data
was stolen during the LinkedIn breach of 2012. At the time, only around 6.5
million encrypted passwords were posted online
<http://www.pcworld.com/article/257045/security/6-5m-linkedin-passwords-posted-online-after-apparent-hack.html>,
and LinkedIn never clarified
<https://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised>
how many users were affected by that breach.

Turns out it was much worse than anybody thought.

Peace is selling the data on the dark web illegal marketplace The Real Deal
<https://motherboard.vice.com/tag/The+Real+Deal> for 5 bitcoin (around
$2,200). The paid hacked data search engine LeakedSource
<https://www.leakedsource.com/> also claims
<https://www.leakedsource.com/blog/linkedin> to have obtained the data.
Both Peace and the one of the people behind LeakedSource said that there
are 167 million accounts in the hacked database. Of those, around 117
million have both emails and encrypted passwords.

“It is only coming to the surface now. People may not have taken it very
seriously back then as it was not spread,” one of the people behind
LeakedSource told me. “To my knowledge the database was kept within a small
group of Russians.”

LeakedSource provided Motherboard with a sample of almost one million
credentials, which included email addresses, hashed passwords, and the
corresponding hacked passwords. The passwords were originally encrypted or
hashed with the SHA1 algorithm, with no “salt,” which is a series of random
digits attached to the end of hashes to make them harder to be cracked.

One of the operators of LeakedSource told Motherboard in an online chat
that so far they have cracked “90% of the passwords in 72 hours.”

Troy Hunt, a security researcher who maintains the breach notification site
<https://motherboard.vice.com/read/the-rise-of-have-i-been-pwned-an-invaluable-resource-in-the-hacking-age-troy-hunt>
“Have I Been Pwned? <https://haveibeenpwned.com/>,” reached out to some of
the victims of the data breach. Two of them confirmed to Hunt that they
indeed were users of LinkedIn and that the password he shared with them was
the one they were using at the time of the breach. Motherboard was able to
confirm a third victim.

One of the victims told Motherboard that the password in the sample was
their current one, though he changed it as soon as Hunt reached out no
notify him of the breach.

“Having a password out there feels like someone being able to let
themselves in to your private space whenever they like, without you
knowing,” the victim, who asked to remain anonymous, said in an email.

When reached for comment on Tuesday, LinkedIn spokesperson Hani Durzy told
Motherboard that the company’s security team was looking into the incident,
but that at the time they couldn’t confirm whether the data was legitimate.
Durzy, however, also admitted that the 6.5 million hashes that were posted
online in 2012 were not necessarily all of the passwords stolen.

“We don’t know how much was taken,” Durzy told me in a phone call.

The lesson: For LinkedIn, the lesson is the same as four years ago: don’t
store passwords in an insecure way. As for LinkedIn users, if you didn’t
already change your password four years ago, change it again, especially if
you use it on other services (and please stop reusing passwords).

“The prevalence of password reuse means we’ll see that unlock other
accounts too,” Hunt told me.

Another lesson is that even old hacked data can sometimes be valuable,
given that some of these passwords might still be valid.

*UPDATE, May 18, 12:32 p.m. ET*: LinkedIn confirmed on Wednesday that the
new data is legitimate.

“Yesterday, we became aware of an additional set of data that had just been
released that claims to be email and hashed password combinations of more
than 100 million LinkedIn members from that same theft in 2012,“ the
company's chief information security officer Cory Scott wrote in a blog post
<https://blog.linkedin.com/2016/05/18/protecting-our-members>. “We are
taking immediate steps to invalidate the passwords of the accounts
impacted, and we will contact those members to reset their passwords. We
have no indication that this is as a result of a new security breach.“

Scott also encouraged users to use two-factor authentication
<https://www.linkedin.com/help/linkedin/safety/4026/4027/531?trk=li_corpblog_corp_security>
and use strong passwords.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160518/c457aa01/attachment.html>