Linked In and the hacked IDs.
May 23, 2016 |
Linked In’s problems since its database was breached and personal information stolen in 2012 continues at a pace. In January affected Linked In users settled their claim for $13 million. The BBC, amongst others (eg see Hackers selling 117 million LinkedIn passwords, Change your LinkedIn password right now), reports that Linked In IDs are now being advertised for sale. That has prompted Linked In to contact users, such as myself, to change their passwords. Given the poor encryption practices by Linked In at the time of the breach this constitutes a salutory lesson on the need for both adequate cyber defences but also protection of data if there is a breach.
The BBC article provides:
A hacker is advertising what he says is more than one hundred million LinkedIn logins for sale.
The IDs were reportedly sourced from a breach four years ago, which had previously been thought to have included a fraction of that number.
At the time, the business-focused social network said it had reset the accounts of those it thought had been compromised.
LinkedIn now plans to repeat the measure on a much larger scale.
One expert said the service should have reset all its accounts the first time round.
LinkedIn is often used to send work-related messages and to find career opportunities – activities its members would want to stay private.
Criminals could make use of this information or see if its subscribers had used the same passwords elsewhere.
“We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords,” a spokeswoman for the California-based firm told the BBC.
“We have no indication that this is a result of a new security breach.
“We encourage our members to visit our safety centre to ensure they have two-step verification authentication and to use strong passwords in order to keep their accounts as safe as possible.”
Login leak
Details of the sale were first reported by the news site Motherboard.
It said the details were being advertised on at least two hacking-related sites.
A total of 117 million passwords are said to be included.
The passcodes are encoded, but in a form that appears to have been relatively easy to reverse-engineer.
LinkedIn had about 165 million accounts at the time of the breach, but the discrepancy in the figures might be explained by the fact that some of its users logged in via Facebook.
Invalidated IDs
After the breach first occurred, a file containing 6.5 million encrypted passwords was posted to an online forum in Russia.
LinkedIn reacted by saying it had invalidated all the accounts it believed had been compromised and emailed affected members saying they needed to register new passwords.
But Motherboard has tracked down one user, whose details are in the batch currently on sale, and found that the password listed for him was still active.
A security researcher who has also been given access to about one million of the advertised IDs said he believed it was “highly likely” that the leak was real.
“I’ve personally verified the data with multiple subscribers [of my own site] ‘Have I been pwned’,” Troy Hunt told the BBC.
“They’ve looked at the passwords in the dump and confirmed they’re legitimate.”
Another expert noted that the problem stemmed from the fact that LinkedIn had originally “hashed” its passwords but not “salted” them before storing them.
Hashing involves using an algorithm to convert passwords into a long string of digits. Salting is an additional step meant to stop unauthorised parties from being able to work around the process.
“A salt involves adding a few random characters, which are different on a per-user basis, to the passwords [before they are hashed],” explained Rik Ferguson, chief technology officer at the cybersecurity firm Trend Micro.
By doing this, he added, you prevent hackers from being able to refer to so-called “rainbow tables” that list commonly-used passwords and the various hashes they produce, and then see if any of the hashes match those in the stolen database.
LinkedIn introduced salting after the attack, but that only benefits the login databases it generated afterwards.
“Using salting is absolutely best practice for storing passwords under any circumstances and was the case back in 2012 as well,” Mr Ferguson said.
“If LinkedIn is saying now that it didn’t know which accounts had been affected by the breach, then the sensible thing to have done at the time would have been a system-wide forced reset of every password.”
The Privacy Commissioner has provided an anodyne response here which provides:
Statement by Australian Privacy Commissioner, Timothy Pilgrim, on LinkedIn 2012 data breach
I am aware of the reports about the release of additional data from the LinkedIn 2012 data breach. This incident is a timely reminder during Privacy Awareness Week about the importance of protecting Australian’s personal information. It is also a reminder for Australians to ensure they regularly change their passwords and to make sure they use different passwords across their online accounts.
LinkedIn has made contact with my office and we are pleased to see that LinkedIn has notified its impacted members about the issue. My office encourages voluntary notification of data breaches or other potential risks to personal information. This is good privacy practice and helps protect business reputation by displaying transparency and proactive management to members or customers. It also gives people the opportunity to take proactive steps to protect their personal information.
If people have concerns about this matter, they can visit LinkedIn’s blog directly, or get in touch with my office at enquiries@oaic.gov.au, or on 1300 363 992.
[…] Linked In and the hacked IDs. […]