LinkedIn’s 2012 Data Breach – The Gift That Keeps Giving

Posted: May 25, 2016 in Security
Tags: , , , , , ,

“I love it when a plan comes together.”  – John ‘Hannibal’ Smith – The A team

The plan came together when I received an email after subscribing to Troy Hunt’s “Have I been pwned” website notifying me that my account (email address and password) was part of the recently made available LinkedIn 2012 data breach.

Chuck Talking Tech / by Chuck Bienenfeld

May 25, 2016

Full disclosure, I have been a fan of Troy’s since I started following his various security efforts, including his blog, website and online courses.  My interest in application security began a few years ago.  It was through Troy’s excellent PluralSight courses covering ethical hacking, protecting your web based applications from hackers and his anatomy of a hack that first brought him to my attention.  

From his courses I started using his website to check inclusion of my email address and those of my family members, in any of the early reported data breaches.  It was after the Ashley Madison and Adult Friend Finder breaches when Troy, rightfully so, implemented the email subscription notification that I first subscribed.  And as I opened with in this blog I received my first notification of my inclusion in a data breach.  From the email notification:

You’ve been pwned!

Breach:            LinkedIn
Date of breach: 5 May 2012
Number of accounts: 164,611,595
Compromised data: Email addresses, Passwords

Description: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.

After getting more information about the breach from the “Security Now” host Steve Gibson, it appears that a hacker(s) has now release additional credentials from the breach bring the number of accounts for sale to almost 165 million.  It is confusing why time sensitive data such as user IDs and passwords would be made available close to 4 years after the initial breach.

Something else that jumps out is the fact that around and prior to 2012 (and something that I hope was fixed quickly thereafter) LinkedIn did not appear to salt the password hashes.  This is why Troy reports that the vast majority of the passwords were quickly cracked.  According reports cited by Steve Gibson over 90% of the passwords were cracked in less than 72 hours.  To add a “salt” to a hash simply means adding a random string of characters to the password before running it through the hashing mechanism.  This would have resulted in a unique output for every password and taken longer to crack.

And final thoughts, if you have not already done so, please change your LinkedIn password as soon as possible.  This also applies to the password for any other site where the email address used for LinkedIn is also used.  This is one of the first attack vector any bad actor will go after since they have your email address and most likely a password you used and possible more than once.
Link to LinkedIn’s Protecting Our Members blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s