So, it appears that the LinkedIn breach of 2012 was a lot more serious than previously thought. At the time, researchers found almost 6.5 million credentials belonging to site users, however the login credentials for more than 117 million LinkedIn accounts have now been put up for sale online with an asking price of $2,200. These credentials include email addresses, as well as poorly scrambled passwords. LinkedIn is working to invalidate the passwords that may still be actively used on compromised accounts.
Following the news, various industry professionals have offered their thoughts on the breach.
Lisa Baergen, director at NuData Security:
“I sound like a broken record; but here we are again. Just as consumers start to feel secure, news of yet another breach hits the wire. No matter how long it takes to come out, the bottom line is that you have to stop thinking “what IF” and accepting it should be seen as “ WHEN”…
Although usernames and passwords can be changed, victims of a breach need to understand that every bit of information exposed is important and may sit dormant for some time, but Will be sold in packages in the dark web and compiled you build out solid profiles of your online IDENTITY. Fraudsters are learning that information coupled from various breaches can create more comprehensive ‘identity bundles’ which sell for a higher value to hackers. With more complete information, more fraud can take place.
As an example, if I’m a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. Where credit card fraud was all the rage a couple years ago, it is account takeover and new account fraud that is on the dramatic rise. We saw in our own database of billions of behavioural events annually a 10% month-over-month increase in new account fraud.
Fortunately, there are methods that online providers can take to help keep us consumers safe, while giving true insight into who sits behind the device – and know and trust it is not the hacker using all of our identity information online.
User behaviour analytics can provide victims of this and other breaches with an extra layer of protection even after the hack has occurred. We need to put a stop to these fraudsters in a completely passive and non–intrusive way to us, the consumers. This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster with our legitimate information ripped from all these breaches. Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring. The only way to achieve this is by truly being able to identify the IDENTITY of the user behind the device.
Good luck hackers; you can keep stealing our data; but we are going to make this data invaluable to you; and you can’t steal my behaviours! “
Rob Sobers, director at Varonis:
“The LinkedIn breach goes to show how a single significant breach can come back to haunt a business (and its customers) again and again. It also highlights just how in-the-dark companies typically are after a breach. After a breach occurs we usually see a statement claiming that the security team has “isolated the affected systems,” but seasoned security researchers know that far too often the scope and severity of a breach is indeterminable due to a lack of comprehensive monitoring and logging.”
Toni Gidwani, director of research at ThreatConnect Inc:
“What we are likely seeing here is the long tail of the 2012 LinkedIn breach. The good news is that basic security practices, such a not reusing passwords across different sites and leveraging two-factor authentication whenever possible – are an effective way to both prevent unauthorized access to your accounts and to limit the possible contagion when breaches occur.
The long lag time between the breach and passwords now appearing for sale suggests the data has already been mined for other nefarious purposes. LinkedIn, with its rich context of professional networks, is a gold mine for adversaries looking to social engineer targets for future attacks. Which are you more likely to open: an email from a Nigerian prince? Or a link in an article sent by someone you’ve worked with for years? Four years after the fact, the breached data set still has some nominal monetary value, which is why it’s for sale for only a handful of bitcoin. But the trickier question is figuring out who has been exploiting the breached data for the last four years and to what end.”
Simon Crosby, CTO and co-founder at Bromium:
“LinkedIn has had an awful record of securing their service, and this appears to be another confirmation that they operate without due care for the valuable information they curate. I recommend that users be very cautious of using the service because attackers will use compromised accounts to launch other attacks. Change your password now.”
Ross Brewer, managing director of EMEA at LogRhythm:
“This is a perfect example of why it is so important to have full monitoring and response capabilities across corporate networks so that breaches can be identified, evaluated and stopped immediately. Without this, businesses are running blind. We now know that millions of passwords weren’t refreshed at the time of breach in 2012, which means hackers have had their hands on a lot of passwords for a long time. With so many people still using the same passwords for multiple online accounts – despite advice to the contrary – this could have potentially put many of their other online accounts and portals at risk.
“The fact that LinkedIn was breached is neither a new nor surprising story – what matters is that today’s hackers are so sophisticated in their methods that they will get in, but they can be stopped. What is worrying is that it took four years to fully understand the magnitude of this attack – and that only came to light when hackers decided to sell. With the EU GDPR coming into effect soon, businesses will be forced to report all breaches within a defined notification window, which means they cannot afford to make an underestimation as big as this. It’s crucial businesses use security intelligence so that they have full visibility into the extent of a breach as soon as it happens. Rapid detection is required to identify anomalous activity before it leads to a damaging data breach. Once this activity had been detected, organisations need to quickly and often automatically respond to diminish the threat and reduce the any risk to major information assets.”
Liviu Itoafa, security researcher at Kaspersky Lab
“The reports of further LinkedIn user’s passwords being sold online, following a hack four years ago, demonstrates the need for businesses to consider security procedures before a data breach forces them to – prevention is always better than cure. Customers that entrust their private information to an online provider should be able to rest safely in the knowledge it is kept in a secure manner; and all companies who handle private data have a duty to secure it.
In this particular case, the leaked data contains e-mail addresses and associated unsalted password hashes. Cybercriminals have the opportunity to use this information to steal personal identities or more. Unfortunately, once a breach of this nature has occurred, there is not much that can be done about the leaked data. While LinkedIn has taken the precaution of invalidating the passwords of the accounts impacted, and contacting those members to reset their passwords, the chances are that many will use the same password across multiple online accounts. So it’s important that LinkedIn users take steps to change the password for other online accounts where they have used the same password.
Whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures businesses can take in order to protect their customer’s information including obscuring (hashing and salting) customer passwords which it appears LinkedIn did not have in place. The best way for organisations to combat cyber-attacks is at the beginning; by having an effective cyber-security strategy in place before the company becomes a target.”
Rob Norris, Director of Enterprise & Cyber Security in EMEIA at Fujitsu.
“The fact that hackers have revealed details of 117 million LinkedIn users, including passwords and user IDs, highlights the value of personal data, even years after a data breach has taken place. Cyber criminals are entrepreneurial, well-sourced and motivated and this once again demonstrates a how capable hackers are in getting what they want. It also highlights how organisations need to be wary of attacks, as damage could be far greater than they may realise.
“Because of this, it’s vital both consumers and organisations take a proactive approach when it comes to security. Organisations need to focus on the integration of threat intelligence and other information sources to provide the context necessary to deal with today’s advanced cyber threats. There must also be a clear and well-rehearsed crisis management plan for a breach, addressing internal and external communication. As well as this, consumers need to ensure they use different passwords for different applications and are aware of the security risks when using payment information. Consumers should consider two factor authentication alternatives so these passwords are rendered useless on their own such as facial, voice, iris, palm and fingerprint biometrics for an additional layer of protection.”
David Kennerley, senior manager for threat research at Webroot:
“It’s no secret that LinkedIn is a rich pool of data and there’s no doubt this made it an extremely attractive target for the hacker. Although some steps to mitigate the problem such as resetting passwords of affected accounts were taken by LinkedIn at the time of the initial breach in 2012, the inability to accurately predict the scale of the problem has resulted in far more users being affected than should have been.
“In today’s threat landscape, users can never just rely on organisations to keep their personal details safe – they must take as many steps as possible to secure it themselves. In this case, ensuring that the password used for LinkedIn is different to other accounts is crucial. This will limit the potential impact on other accounts, including email which can lead to other more sensitive information being stolen.”
Brian Spector, CEO at MIRACL:
“Besides causing a major headache for LinkedIn, this hack demonstrates how data theft and identity fraud is a multi-billion dollar business on the dark web, and so consumers must be vigilant. In truth, passwords are a relic from a bygone age, and they simply don’t provide adequate protection for the volume of information we all store and access online today.They don’t scale for users, they don’t protect the service itself and they are vulnerable to a myriad of attacks.
But we don’t have to give in to these weekly announcements about mass data breaches. Customers are rightly demanding to be protected when they submit their valuable personal information on the web, and online services need to respond appropriately by replacing the password with more rigorous authentication technologies.
“For now, anyone with a LinkedIn account should change their password, not only for this account but also for any other website where they may have used the same password. But unfortunately, the truth is that most of us probably already have some sort of private information floating around on the dark web and as long as we use this outdated username and password system, we will be reading a lot more of these headlines.”
Lee Munson, Senior Researcher at Comparitech.com
“With a breach from years ago resurfacing to show a much bigger compromise, this should serve as a reminder to web users that data breaches can affect them even years after the event. In turn, this should encourage people to be more vigilant with their online accounts, ensuring they regularly change passwords and use different ones for each site to avoid all of their accounts being simultaneously compromised.
“Nonetheless there will be many web users who will not ramp up their personal security in this way – but there are options such as password managers or setting up automatic reminders that can help this kind of user keep on top of their security. In a web where multiple options are on offer, it’s about each web user finding a means of keeping passwords unique and hard to guess, but manageable for everyday use, that works best for them – it’s not a one-size-fits-all thing!
“Looking at the wider implications of the breach, the fear should be that this opens up a path of communication between criminals and CEOs, who can be sent personal messages from their connections. With access to high-profile LinkedIn accounts, cyber criminals can begin deploying social engineering tactics to the decision makers and executives who have the power to make the hackers very rich indeed.
“Furthermore peoples’ working histories, if accessible to criminals, can pose a major risk in terms of spoofing and undermining peoples’ security by having such an in-depth portrait of the person’s history. What’s more lots of people have hidden elements on their LinkedIn profiles, only visible to a few trusted connections; knowledge of which could enable intruders to carry out certain kinds of illegal activity. We’ll have to wait and see if and how this LinkedIn data is exploited by whomever buys it.”