LinkedIn Breach: Worse Than AdvertisedHacker Claims to Be Selling 117 Million Credentials Stolen in 2012 Breach
Note: This story has been updated with LinkedIn CISO Cory Scott's comments.
A data breach notification site says that nearly 170 million credentials appear to have been compromised in the 2012 breach of social networking site LinkedIn, which is a far cry from the 6.5 million that initially came to light. In fact, the quantity of credentials suggests that attackers obtained virtually every LinkedIn username and hashed password.
"LinkedIn.com was hacked in June 2012, and a copy of data for 167,370,910 accounts has been obtained by LeakedSource which contained emails only and passwords," according to a May 17 blog post from breach notification site Leaked Source, which charges a fee to subscribe.
"Passwords were stored in SHA1 with no salting. ... Only 117 [million] accounts have passwords and we suspect the remaining users registered using Facebook" or some other service, Leaked Source says, noting that it purchased the credentials for 5 bitcoins - currently worth $2,300 - on the dark web forum "The Real Deal" from a seller using the handle "Peace." It also claims that it's now cracked nearly all of the hashed passwords.
Leaked Source has shared 1 million of the passwords with Vice Motherboard, which reports that two of the users it contacted - after finding their details in the dump - confirmed that it correctly listed their 2012 LinkedIn passwords.
Troy Hunt, who runs the free "Have I Been Pwned?" service - which alerts users when their registered email addresses appear in public data dumps - says his initial review of samples of the data suggest that the dump is legitimate.
I've been verifying a portion of the alleged 167M record LinkedIn data breach. It's *highly* likely this is legit. More soon.— Troy Hunt (@troyhunt) May 18, 2016
LinkedIn didn't respond to a request for comment. Spokesman Hani Durzy told Motherboard that the company has been testing the credentials to see if they were genuine, and that it doesn't know if the 2012 breach was, in fact, limited to just the 6.5 million credentials that ended up on an underground password forum.
"We don't know how much was taken," Durzy said.
Later on May 18, meanwhile, LinkedIn CISO Cory Scott said the company will invalidate all passwords that haven't been changed since 2012. "We have begun to invalidate passwords for all accounts created prior to the 2012 breach that haven't updated their password since that breach," he said. "We will be letting individual members know if they need to reset their password."
LinkedIn said it's also begun legal action to attempt to get the password dump taken down, although by some accounts the data was stolen by a Russian cybercrime, meaning legal moves will probably have no effect. "We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply," Scott said. "In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts."
Breach Severity: Never Resolved
LinkedIn has never confirmed how many user credentials were compromised, or if it even knows. In 2012, the company did confirm that passwords had been stolen, and noted that it had failed to salt those passwords, which makes them harder to crack. Salt refers to adding unique, additional information to each password before running it through a one-way cryptographic hashing algorithm, which produces a hash value that then gets stored and used to validate future password-entry attempts.
LinkedIn had also been using SHA1 to hash the passwords, which security experts have long warned is not fit for securing passwords.
The LinkedIn breach came to light after a hacker posted 8 million hashed passwords to an underground forum, seeking help in cracking them. Of those passwords, 1.5 million appeared to have been stolen from dating website eHarmony - which confirmed "that a small fraction of our user base has been affected" - and the rest from LinkedIn. At the time, security experts advised all of LinkedIn's estimated 150 million users to change their passwords, since it was only a matter of time before any leaked password hashes could be cracked.
In the wake of the breach, LinkedIn promised to begin salting its passwords (see Why Are We So Stupid About Security?).
Breach Spawned Class-Action Lawsuit
The LinkedIn breach triggered a $5 million class-action lawsuit, which a judge dismissed in 2013. "Unfortunately for the plaintiffs, they failed to provide evidence of injury coming out of the breach that was 'concrete and particularized,' as well as 'actual and imminent,' U.S. District Judge Edward J. Davila wrote in his decision (see Why So Many Data Breach Lawsuits Fail).
But LinkedIn did eventually pay $1.25 million to settle a different, consolidated lawsuit filed by customers who paid LinkedIn a fee for a premium subscription.
Pick Better Passwords
In the wake of the new LinkedIn breach-severity warning, security experts say it's a great time for users to revisit their password-picking practices. "If you didn't change your LinkedIn password after the 2012 hack - you really should change your password immediately," says independent information security consultant Graham Cluley in a blog post.
It should go without saying that users should always pick long, strong and unique passwords, especially because Leaked Source reports that of the list of 117 million email addresses and hashed passwords that it obtained, the top three passwords were "123456," "linkedin" and "password."
Top 20 password picks of 2012 LinkedIn users.— Mathew J Schwartz (@euroinfosec) May 18, 2016
Source: LeakedSource pic.twitter.com/NwCJEWf8h8