Details of some 167 million LinkedIn users have been leaked and offered for sale in what is believed to be fall-out from the 2012 hack of the company.
At the time, the company claimed that only 6.5 million accounts had been affected, until the details recently surfaced on a site called LeakedSource.
“LinkedIn.com was hacked in June 2012 and a copy of data for 167,370,910 accounts has been obtained by LeakedSource which contained emails only and passwords,” said a LeakedSource report.
“You can search the hacked LinkedIn.com database and many others on our main site. If you are in this database, contact us and we will remove you from our copy for free.
“Passwords were stored in SHA1 with no salting. This is not what internet standards propose. Only 117 million accounts have passwords and we suspect the remaining users registered using Facebook or some similarity.”
Again, stupid passwords were used. LinkedIn has a list of some of the most prevalent and right there at the top is our old favourite ‘123456’ which is used by three quarters of a million people. Second is ‘Linkedin’ and third is ‘Password’. We stopped reading there because we were weeping.
To be fair to LinkedIn, the company advised users in 2012 to choose their passwords carefully, and this was before the hack. It had some good tips that, on reflection, it might as well have shouted into a toilet.
The firm reiterated this advice in a statement sent to Computing, but said that it is not yet sure that a new breach has occurred.
“We are taking immediate steps to invalidate the passwords of the accounts affected, and we will contact those members to reset their passwords. We have no indication that this is a result of a new security breach,” a LinkedIn spokesperson said.
“We take the safety and security of our members’ accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual-factor authentication.
“We encourage our members to visit our safety centre to ensure they have two-step verification authentication and to use strong passwords in order to keep their accounts as safe as possible.”
Brian Spector, CEO at security firm MIRACL, suggested that this is bad news for LinkedIn and another kick in the teeth for passwords as a security mechanism.
“Besides causing a major headache for LinkedIn, this hack demonstrates how data theft and identity fraud is a multi-billion dollar business on the dark web, and that consumers must be vigilant,” he said.
“In truth, passwords are a relic from a bygone age, and they simply don’t provide adequate protection for the volume of information we all store and access online today. They don’t scale for users, they don’t protect the service itself and they are vulnerable to myriad attacks.”
Spector advised anyone with a LinkedIn account to change their password for this account and for any other website where they may have used the same password.
“Unfortunately, the truth is that most of us probably already have some sort of private information floating around on the dark web, and as long as we use this outdated username and password system we will read a lot more of these headlines,” he said.