Stolen LinkedIn Data: How secure is your password?

In the past decade, internet has grown in huge leaps and bounds leading to an ever increasing number of passwords and usernames.

The numerous social media platforms and increasing online transactions have led to an enormous growth in the use of passwords and usernames.

This unprecedented growth, without strong measures on password security has led to a high degree of susceptibility to stolen and lost passwords.

The password debacle is looming large threatening to upset entire networks at a go with serious repercussions for a long, long time.

The LinkedIn password breach scandal in 2012 is one such incident that has shown its lasting effect even now.


The LinkedIn password hack

On May 18, LinkedIn announced that a new set of hacked data has been released. Earlier in 2012 hackers had stolen encrypted passwords of nearly 6.5 million users of LinkedIn Corp. and had the data posted on a Russian forum for hackers.

LinkedIn had spent around $1 million to investigate the extent of damage inflicted by the hack.The reason behind the easy break in of the passwords was due to the storage of passwords in unsalted SHA-1 hash forms.

Now in an alarming turn of events, LinkedIn has revealed that passwords of over 100 million of its members have been identified as compromised.The network catering to professional has over 433 million members now.

This latest data dump has forced LinkedIn to take stronger measures on validating accounts that have been breached and relaying the information to affected users, so they could reset their LinkedIn passwords.

For large companies such as LinkedIn, data breach requires sensitive handling. Most often investigations into data breach do not reveal the whole picture. So, companies often do not realize the extent of damage. Many organizations have lost huge databases before they could realize it.

LinkedIn had to choose between convenience and security back in 2012. It had the option of forcing all its members to do a password reset.

This could have made users unhappy and frustrated. But LinkedIn chose the path of least resistance.This poor handling of the situation has come back to haunt LinkedIn now.

The estimated amount of accounts breached makes one wonder how many of the passwords were actually reset.

And the question arises whether LinkedIn had kept the leaked password history to avoid users from using the passwords again.

This is because some users do not adhere to a completely different change of their passwords no matter how dire a notification they receive.


The impact

According to reports, a hacker named ‘Peace’ is selling the passwords and emails of around 117 LinkedIn members at an illegal dark web market for bit coins worth $2,200.

The data pack is said to include around 167 million user accounts, of which only 117 million have encrypted passwords and emails.

Since this latest data has been from the 2012 data breach, the passwords would have been encrypted in the no salt method, which makes them easy to steal.

According to Motherboard, most of the passwords were stolen in a space of 72 hours. Unfortunately a majority of the affected individuals are still using the same password they had used, since 2012.

LinkedIn users have cause for concern with this revelation, if they had a LinkedIn account during the 2012 hack. Those who had since then changed their password, which they had reused on other websites, should also be cautious.

The best way to deal with this situation is to change your password on LinkedIn and on various other sites, where you are using a similar password like your email, Facebook, banking website etc.

LinkedIn maintains that it has enforced strict security measures, since the debacle in 2012. It has introduced email challenges, stronger encryptions and two way authentication methods to counter password breach.

But since the hack had been done before such measures were introduced, the users whose password and email combinations had been hacked would not be protected by this measure.


Hijacked accounts

Stolen LinkedIn Data

The ramifications do not end as such. The accounts at LinkedIn are not the only ones that are in danger. The information dump affects many others too. For those who use similar passwords on various sites the danger is more.

Many who have not updated their password or not reset it could be under risk still. So, the accounts on those sites will also be compromised. Password reuse enables a person to access several other sites that share the same password.

And reports that corroborate this have been increasing in number since the breach occurred at LinkedIn. And to be frank, it would be abnormal, if this did not occur. It is a sort of pattern that indicates the nature of the breach.

The data stolen has been sold down various levels and therefore is spreading at a fast rate. The hijacks of accounts and password resets done in various other services indicated a possible redistribution of stolen data.


Analyzing data dump

A thorough analysis of the passwords found in the dump has revealed emphatically the reason for the data of over 167 million users spreading around indiscriminately. KoreLogic, an information security service specializing in password recovery has set to crack the passwords on a massive scale. Some of the important considerations on the results they have received on the cracked passwords are:

  • Most easily cracked user IDs for login include LinkedIn, 123456, 123456789, 12345678 and password
  • LinkedIn remains the most commonly used base word, which is not surprising.
  • 12345 is the most frequently used at over 1,135,936 times

As you can see, users need to exercise seriousness, while choosing the passwords. Going in for complex passwords that can withstand the most potent brute force assault is the only way out of this difficulty.

As mentioned before, LinkedIn too has played a part in the data breach using weak crypto and bad methodology combination of using SHA-1 for hashing passwords without salting.

This paved an easy route for the cracking of the leaked database of passwords that has opened up a Pandora box of consequences.

Many important personalities have faced the backlash with their profiles being hijacked using the data retrieved. Markus Persson, Minecraft creator and Biz Stone, co-founder of Twitter are a few who have been affected. Their profiles have been hijacked by OurMine Team, a group of benign hackers according to Vice reports.

And reportedly black hats demanding money for the credential dump of LinkedIn have reduced their asking rate and instead used the media publicity garnered with the news of the data dump to push up sales.

All these observations notwithstanding, people still tend to make bad choices, when it comes to their passwords. The more important consideration here is the way the data has spread and how fast the passwords were cracked.


LinkedIn directive

While LinkedIn has sent emails to its members, not all of them have received it, and surprisingly a few nonmembers too have received the email.

Although LinkedIn has sent email notification to all the members who have been affected, it has not yet reached all those who have been members before the 2012 breach and were definitely affected by it.

As those members who do not have password hashes related to the breach information did not receive the emails, LinkedIn has probably been using the data that is exposed publicly rather than use the information from its member database that existed before 2012.

Or, it may be because emails had been sent to the people who have kept their passwords unaltered since 2012. If this happens to be true, than several people are using a password that is very much accessible publicly and are yet to be notified of the fact.


How secure is a reset

The communication to members by LinkedIn based on the information breach is unusual, and more so is the request made by LinkedIn to reset the password.

The current password of a user, which will most probably be part of the breached data, may be still active.

The user can login to the site using this password and so does some other person who is not the legitimate user, but had obtained the password. Thus it is possible to continue with the breached state.

LinkedIn had no other option, as just invalidating all the accounts affected totally would have created more complications. Thus LinkedIn had to choose the best of the bad choices, even if it is an unusual way to deal with the situation.

LinkedIn has further invalidated account passwords of all members who signed up before 2012 and have not yet updated their password.

While this statement is a bit confusing, LinkedIn may be trying to reset the emails of the people who have left their passwords unchanged, instead of using the passwords in any way.

But the fact remains that a hacker who had got hold of the password, before this message from LinkedIn, would still have control over the account.

And further compounding the matter is that other services where the password is being reused will still remain at risk.


Loss of data

The breach notification may also trigger on phishing incidents. Scammers may well take advantage of such happenings to get personal information from users.

The Heartbleed incident in 2014 is a stark example of how phishing emails prey on people who are expecting notifications on password reset.

LinkedIn CISO, Cory Scott who is handling the data dump situation is under flak for the way LinkedIn had handled security of user credentials.

But this is not an isolated situation. There are many others who bear the brunt of data breach of such a magnitude.

Leakedsource.com and haveibeenpwned.com are sites that allow users to know about whether their details appear in data dumps.

Leakedsource appears more sinister, as in contrast to the haveibeenpawned, it asks individuals requesting information to divulge more personal information to them to remove their details form the data dump.

And further they do not give any background details on their site and give access to the whole database where you can easily access details of others when you are a paid subscriber.

LinkedIn, aware of the activities of LeakedSource, has strongly reacted to the activities of the site resulting in the site stopping the availability of password information.

LinkedIn has demanded them to cease their activities failing which the site will have to contend with strong legal action.

Although such sites do not have any malicious intent, they need to restrict revealing sensitive data like credentials.

Similar distribution of breached data had occurred earlier after the 2013 Adobe breach, in the Ashley Madison website and the Election Commission information breach in Philippines, which had affected around 55 million people.


Is a solution in sight?

With such a huge breach of database, LinkedIn would have to take stronger measures, than what it is trying to do now.  For instance, it should evaluate its present risk exposure by cracking all of its users’ passwords.

And as mentioned, invalidating the passwords of all accounts would be the sensible solution. While changing passwords regularly is recommended by security experts, it has its own drawbacks.

Users tend to use predictable patterns, while the change passwords regularly. This makes it all the more easier for hackers to wreak havoc.

Thus manual changing of passwords is a useless, annoying and risky maneuver at the best.

So, you may ask what the solution for this situation is.


Password and website security

To tell the truth no definite solution for password security has emerged as of yet.

One proposal that has been considered is using fingerprint readings or a sort of smart card that offers sign on with multiple factors.

But since our devices and systems are not prepared for this change, it will take years to implement this.

Large websites like LinkedIn could establish a minimum standard for secure passwords just like you have for credit cards. For instance, using the word ‘password’ or ‘12345’ or any other easy to guess passwords could be banned.

Denying passwords that are alphanumeric, of minimum length or at risk to dictionary assaults etc. is a starting. While this may not solve the issue fully, it may at least be an improvement.

The BrowserID proposal by Mozilla that has a master password method may be a step towards better password security.

And users who get to bear most of the brunt, when their password is hacked would do well to demand more security of passwords. For instance, they can complain when a site lets them use ‘12345’ as password.

As of now LinkedIn has used a two-step verification through SMS, which does offer protection to some extent, but it does not offer the desired level of security.

It would serve websites well, if they took on comprehensive measures that secure not only the password policy, but also the entire website.

Some of the things that can be done are simple but yet powerful. These include

  • Update all scripts and platforms installed to patch any loopholes in the security
  • Enforce use of complex passwords with a minimum of ten characters that include numerals, uppercase and lowercase letters and a few special characters.
  • Use of SSL encryption to prevent access to private data and login credentials
  • Opt for a reputable and secure hosting service
  • Keep every plugin, application and database organized, so it is easy to know about the changes and delete the unused or old files.
  • Perform regular backups for all the files in your website
  • Scan the website regularly for security vulnerabilities
  • Hire a professional security service to ensure your website is free of vulnerabilities, to monitor malicious activities, handle repair securely and to perform regular security audits.

Keeping security tight and impenetrable is a foremost priority that a website should consider at all times.