This week, a hacker has been trying to sell the account information, including emails and passwords, of 117 million LinkedIn users.
The hacker, known as Peace, is selling the data on the dark web illegal marketplace, The Real Deal, for five bitcoin (around £1,500). Hacked data search engine, LeakedSource, also claims to have obtained the data. Both Peace and one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords.
“What we are likely seeing here is the long tail of the 2012 LinkedIn breach,” says Toni Gidwani, director of analysis at ThreatConnect Inc. Unfortunately, he adds, the long lag time between the breach and passwords now appearing for sale suggests the data has already been mined for other nefarious purposes.
“LinkedIn, with its rich context of professional networks, is a gold mine for adversaries looking to social engineer targets for future attacks,” he explains. “Which are you more likely to open – an email from a Nigerian prince? Or a link in an article sent by someone you’ve worked with for years?
“Four years after the fact, the breached data set still has some nominal monetary value, which is why it’s for sale for only a handful of bitcoin. But the trickier question is figuring out who has been exploiting the breached data for the last four years and to what end.”
Rob Sobers, director at Varonis, says: “The LinkedIn breach goes to show how a single significant breach can come back to haunt a business, and its customers, again and again. It also highlights just how in-the-dark companies typically are after a breach.
“After a breach occurs we usually see a statement claiming that the security team has ‘isolated the affected systems’, but seasoned security researchers know that far too often the scope and severity of a breach is indeterminable due to a lack of comprehensive monitoring and logging.”
Simon Crosby, CTO and co-founder at Bromium, is particularly scathing in his summation of LinkedIn’s security performance.
He says: “LinkedIn has had an awful record of securing their service, and this appears to be another confirmation that they operate without due care for the valuable information they curate.”
But despite the social network’s security discrepancies, Adrian Sanabria, senior analyst, Information Security at 451 research firm, believes digital marketers will continue to embrace it.
“It won’t put people off, because they have few choices or alternatives,” he says. “LinkedIn is valuable because it already has all the people necessary for business relationships to exist in a social context. In other words, even if there were viable alternatives to LinkedIn, they wouldn’t be useful unless the majority of LinkedIn’s 400m-plus users joined that alternative site. LinkedIn is still largely the ‘only game in town’ for what it does and the data it has access to.
“We’ll reset some passwords and move on. The fact that the breach data is four years old is a significant point also. From an external perspective, LinkedIn has most of the security features you’d expect a large social media platform to have.”
Internally, though, we do not really know. Again, it is worth keeping in mind that the breached data is four years old, so security at LinkedIn could have changed considerably since then.
How to use LinedIn as securely as possible
Toni Gidwani, director of analysis at ThreatConnect Inc
“The good news is that basic security practices, such a not reusing passwords across different sites and leveraging two-factor authentication whenever possible – are an effective way to both prevent unauthorised access to your accounts and to limit the possible contagion when breaches occur.”
Simon Crosby, CTO and co-founder at Bromium
“I recommend that users be very cautious of using the service because attackers will use compromised accounts to launch other attacks. Change your password now.”
Adrian Sanabria, senior analyst, Information Security at 451
“Multi-factor authentication (MFA) is a no-brainer. It can be inconvenient, but it is one of the easiest ways to keep people out of your accounts, even if they are compromised. Also, use a password database that can identify where you’re reusing passwords. Even though MFA will protect your LinkedIn account, if your password is compromised in the breach and you also used it somewhere else (say, Twitter) with the same username, you’ve now put that account at risk.”