117 million LinkedIn email credentials found for sale on the dark web

The 2012 LinkedIn data breach may be the breach that just keeps on giving with the news that 117 million customer email credentials originating from that hack were found for sale on the dark web.

The 117 million credentials come from a larger 167 million data dump of accounts that were supposedly grabbed when LinkedIn was breached in 2012.
The 117 million credentials come from a larger 167 million data dump of accounts that were supposedly grabbed when LinkedIn was breached in 2012.

The 2012 LinkedIn data breach may be the breach that just keeps on giving with the news that 117 million customer email credentials originating from that hack were found for sale on the dark web prompting the professional social network to invalidate the account passwords.

The initial story came from Motherboard, which reported it was contacted by someone going by the name “Peace” who said he was selling the data set on an illegal market place called The Real Deal for five Bitcoins, or about £1,500. The 117 million credentials come from a larger 167 million data dump of accounts that were supposedly grabbed when LinkedIn was breached in 2012.

“Yesterday, we became aware of an additional set of data that had just been released  that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,” Cory Scott, LinkedIn CIO, said in a blog post, adding the customers impacted will be contacted.

At the time of the 2012 incident, which was believed to have impacted about six million accounts, LinkedIn required a mandatory password reset for the accounts it believed were compromised.

Amit Ashbel, Checkmarx director of product marketing and cyber security evangelist, said LinkedIn's poor handling of its customer's data four years ago lead directly to today's situation.

“LinkedIn could have definitely prevented the impact of this breach four years ago if they were using strong encryption techniques. That might not have prevented the breach itself but the data would be of much less use,” he told SCMagazine.com in an email.

The data up for sale did not include payment card information or Social Security numbers, but even email addresses can have value to a criminal, particularly one willing to put in the time and effort to tie these data points to others that can be found on the web.

“The most valuable data in the LinkedIn compromise may not be the passwords at all, but the enormous registry of email addresses connected to working professionals. Spammers rely on accurate, active email addresses to target, and the low price tag of five Bitcoin is likely to generate significant interest from today's spam industry,” Rapid7's Tod Beardsley, security research manager, told SCMagazine.com in an email.

Adam Levin, chairman and founder of IDT911, said users are also to blame for making something as innocuous as an email password so valuable.

“Email address and passwords are at the foundation of our digital identities, as they typically contain a name and/or number significant to you, such as your birthday or address. These become tiny breadcrumbs that hackers can piece together to access even more sensitive information,” he said, adding that the public's general refusal to come up with new passwords means one can be used to hack into multiple accounts.

Making a bad situation worse for LinkedIn and its customer base is that even this latest revelation may not be the end of the story that started with the 2012 data breach. Ashbel noted that it is a common practice among hackers to hold back some information from a hack, sort of like using the data to create an annuity for the criminal.

“The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder,” he said.

In an email to SCMagazineUK.com, David Kennerley, senior manager for threat research at Webroot commented: "Although some steps to mitigate the problem such as resetting passwords of affected accounts were taken by LinkedIn at the time of the initial breach in 2012, the inability to accurately predict the scale of the problem has resulted in far more users being affected than should have been.

“In today's threat landscape, users can never just rely on organisations to keep their personal details safe – they must take as many steps as possible to secure it themselves. In this case, ensuring that the password used for LinkedIn is different to other accounts is crucial.”  

Trent Telford, CEO at Covata agrees, telling SCMagazineUK.com: “It's common knowledge that consumers tend to use similar – or indeed, the same – passwords and usernames across a number of sites.  It's also concerning thatLinkedIn underestimated the scale of this breach and points to the need for better investigative tools once a breach happens.

“What's more, while the passcodes were protected with a level of encryption, it's clear that this was no where near robust enough to properly protect user details.  Arguably, what is the point of encrypting something, if you don't know who or why you are giving a key to someone?  This is why verifying identity and creating stringent policies should be cornerstones in enterprise encryption strategies.”

Liviu Itoafa, security researcher at Kaspersky Lab concurs, telling SCMagazineUK.com  in an email: “While LinkedIn has taken the precaution of invalidating the passwords of the accounts impacted, and contacting those members to reset their passwords, the chances are that many will use the same password across multiple online accounts. So it's important that LinkedIn users take steps to change the password for other online accounts where they have used the same password,” adding, “....there are also other measures businesses can take in order to protect their customer's information including obscuring (hashing and salting) customer passwords which it appears LinkedIn did not have in place.”

Dave Worrall, CTO of Secure Cloudlink, concludes that passwords are no longer fit for purpose, telling SC in an email: “The Internet itself presents an obstacle by providing the concept of an ID and password security system very early on, but not the necessary encryption needed to protect it. Designs that were suitable a decade ago have simply not been updated to accommodate today's increasingly digital environment. Instead of trying to find better solutions, the IT industry has continued to operate under a system of password proliferation across multiple, often incompatible systems. The time is now right to rethink the entire concept of the password, for the buck not stopping with end users, and for a paradigm shift in thinking.” 

Sign up to our newsletters