Four-year-old LinkedIn IDs go up for sale online
Cast your mind back to 2012 and the LinkedIn hack that had the grown up's social network scurrying to advise its users to change their passwords.
It was thought at the time that the 6.5 million sets of credentials posted on a Russian password forum was the extent of the breach. However, four years on a hacker under the name of 'Peace' is offering for sale a database of millions more LinkedIn accounts.
The data on offer includes the email addresses, plus hashed -- and in some cases already cracked -- passwords of 117 million users. Details of the sale, which is said to be advertised on at least two hacking sites, were first revealed by the Motherboard.com site.
Aside from the immediate threat to user's details, this raises questions about why LinkedIn underestimated the size of the breach in the first place. If it suspected that a larger number of accounts had been compromised it really should have forced a reset of all passwords across the site back in 2012.
"There needs to be a sense of heightened security every day when it comes to cyberattacks and thinking passwords could be stolen," John Peterson, vice president of enterprise products at cyber security company Comodo told BetaNews. "Consumers, small businesses and large enterprises all need to understand that criminals have established, working organizations with paid hackers, spammers and phishing experts who think of ways to steal and leverage passwords, bank records, social security numbers, company trade secrets and data, and credit card and financial data every minute of every day. Only with end to end security that takes into account issues like endpoint, breach detection and secure web gateways can companies of all sizes look to beat the cybercriminal at their own game".
This is echoed by Brett McDowell, executive director of the FIDO Alliance, the cross-industry organization creating open standards for simpler, stronger authentication. "With these password breach stories, people tend to focus on the wrong issues; hashing, salting and password resets. With over a billion stolen passwords reportedly in circulation already, our industry doesn't need better password breach remediation practices, it needs a better authentication system -- a post-password system that uses private key cryptography instead of password ‘shared secrets’ so there aren't account credential 'secrets' sitting in server databases to get breached in the first place".
In the meantime if you're on LinkedIn and you didn't change your password after the 2012 breach you should almost certainly do so now. Two-factor authentication is now available on LinkedIn too so enabling that wouldn't do any harm either.