Update: Apple Responds To Consumer's Claim That Apple Music "Stole" His Music
Update: Consumer Reports Explores Claims About Theft of Files By Apple Music

LinkedIn Data Breach Was Larger And Worse Than Consumers First Told. 117 Million Persons Affected

LinkedIn.com logo The 2012 data breach at LinkedIn.com was far larger and worse than originally thought. Motherboard reported:

"A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users. The hacker, who goes by the name “Peace,” told Motherboard that the data was stolen during the LinkedIn breach of 2012. At the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach... The paid hacked data search engine LeakedSource also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords."

So, the breach included 167 records affecting as many persons, not 6.5 million. And, 117 million people are at risk now. To make matters worse, hackers have already cracked the encryption method LinkedIn.com used to protect users' passwords:

"The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked. One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours..."

And, the incident cast doubt on both LinkedIn.com's breach detection methods and the response by the company's executives:

"... LinkedIn spokesperson Hani Durzy told Motherboard that the company’s security team was looking into the incident, but that at the time they couldn’t confirm whether the data was legitimate. Durzy, however, also admitted that the 6.5 million hashes that were posted online in 2012 were not necessarily all of the passwords stolen. “We don’t know how much was taken,” Durzy told me in a phone call. The lesson: For LinkedIn, the lesson is the same as four years ago: don’t store password in an insecure way..."

LinkedIn released a statement yesterday. Relevant portions:

"Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach... For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords... We're moving swiftly to address the release of additional data from a 2012 breach, specifically: We have begun to invalidate passwords for all accounts created prior to the 2012 breach​ that haven’t update​d​ their password since that breach. We will let individual members know​ ​if they need to reset their password. However, regularly changing your password is always a good idea..."

Many people use the LinkedIn.com social site to network with professionals in their field, and find jobs. If you use the site, experts advise consumers to change your password immediately and don't reuse the same password at multiple websites.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

Thank God, that I only provided LinkedIn with my junk email address. And that explains why I have been getting a tremendous amount of fraudulent offers and emailed malware packages on that email address, though that has probably also been a result of the Home Depot mega breach.

There is no getting around it: The Internet is insecure, and the business model of the majority of its search, social media, and other service provides of providing services by taking, without fair and fully informed negotiation of a license from each user and the utter lack of the ability to bargain in a market with other alternatives, is morally repugnant and unjust and ought to be illegal, and it is manifesting the bad results of such an unjust and morally vile system, with, I fear, even worse results to follow for democracy, privacy, and misuse of our personal information.

So the Internet is insecure, and its dominant business model corruptly violates our privacy without our fairly negotiated consent to do so. And, after thus misappropriating our personal information, the incompetent scoundrels can’t even secure it against against other thieves. It stinks to high heaven.

Chanson de Roland

And edit to correct an omission in the first sentence of paragraph two and to make another observation:

Thank God, that I only provided LinkedIn with my junk email address. And that explains why I have been getting a tremendous amount of fraudulent offers and emailed malware packages on that email address, though that has probably also been a result of the Home Depot mega breach.

There is no getting around it: The Internet is insecure, and the business model of the majority of its search, social media, and other service provides of providing services in exchange for taking our personal information, without fair and fully informed negotiation of a license from each user and the utter lack of the ability to bargain in a market with other alternatives, is morally repugnant and unjust and ought to be illegal, and it is manifesting the bad results of such an unjust and morally vile system, with, I fear, even worse results to follow for democracy, privacy, and misuse of our personal information.

So the Internet is insecure, and its dominant business model corruptly violates our privacy without our fairly negotiated consent to do so. And, after thus misappropriating our personal information, the incompetent scoundrels can’t even secure it against against other thieves. It stinks to high heaven.

I wonder that our same personal information from so many sources doesn't begin to lose its value. It must be that Google and Facebook and their ilk's misappropriation of our personal information has greater value, because they have more comprehensive and at least significantly different data which they can subject to more sophisticated mathematical and psychological analysis to more definitely identify and more intimately know each of us. I don't have any other explanation for why such an excess supply of the same data does not fall in value, as it apparently has not. But mustn't this excess of our personal data fall in value one day in the not too distant future?

The comments to this entry are closed.