How LinkedIn’s Data Breach and Password Exposure Increase Your Third Party Risk
In 2012, various news reports announced that LinkedIn had suffered a data breach. The initial estimates of leaked passwords were 6.5 million and LinkedIn’s own blog announced that as a result, they would contact members with compromised accounts to rest their passwords. News outlets encouraged all users to change their passwords just to be sure and months later, it seemed like the worst was over for LinkedIn.
The initial 6.5 million estimate ballooned to over 100 million when it was reported that a hacker named ‘Peace’ was selling user accounts and password data on a dark web marketplace. LinkedIn eventually addressed the issue on their blog once more, taking the same action of contacting members and invalidating their passwords. However, as more details and reports surfaced, LinkedIn took more drastic actions, invalidating non-updated passwords for ALL accounts created prior to the breach. LinkedIn maintains that this new batch of data was the result of the 2012 breach and not a new data breach.
Due to the mass of the data breach along with other unfortunate factors, this breach will have ongoing consequences for LinkedIn users as well many other companies’ employees and clients.
Ongoing Problem With Leaked Passwords
The biggest danger with LinkedIn’s data breach, which was mentioned in the initial reporting of the 2012 attack, was that LinkedIn failed to salt their passwords. A salt is a random string of characters added to a password before cryptographically hashing them. Salting is used to make sure duplicate passwords don’t receive the same hash and to make hash-cracking difficult in case a breach occurs due to the added random string.
Unfortunately, due to the lack of salting, the passwords were quickly cracked, leading to a number of discoveries. Sophos had published a blog post noting that common passwords included ‘linkedin’, ‘linkedinpassword’, ‘p455w0rd’, and ‘redsox.’ Ironically, other commonly used terms were ‘sophos’, ‘mcafee’, ‘symantec’, and other tech and security-related terms. Troy Hunt noted that over 1.1 million users used the password ‘123456.’
Easy-to-guess passwords are problematic regarding LinkedIn’s case for a number of reasons. Password reuse is common among internet users. A Telesign study last year found that 73 percent of online accounts use duplicated passwords. The fact that so many easy-to-guess passwords are floating around means that if a malicious actor just obtains an email associated to a LinkedIn account, they can try to log into other accounts using the same email and a guessed password.
This was the case with Mark Zuckerberg when his social accounts were hacked. His LinkedIn password ‘dadada’ was tried in other places successfully. Github also experienced a similar attack, noting that unauthorized attempts were being tried on a large number of GitHub.com accounts using a list of emails and passwords that were obtained from other compromised online services.
However, there is another consequence resulting from the data breach that is only possible due to the mass amount of data leaked.
As Jeremi Gosney, Founder and CEO of Sahitta HPC, a password-cracking firm, reported in Ars Technica, password cracking provides analytical information that makes it easier to crack more passwords which, in turns, makes future password cracking easier in an “endless feedback loop.” He notes that because of the increased processing power available, the information provided by LinkedIn’s data dump is a kind of password bible that will allow ‘hackers to be 6 times better [at] cracking future data dumps.’
Why This Breach Will Impact Your Organization
What this means for enterprise organizations is that both your customers and employees are now vulnerable vectors that hackers can exploit using the information from the LinkedIn data breach. Vigilance is absolutely necessary when it comes to data breaches, as hashes will be cracked faster than ever. As soon as a leak or breach is announced, you and your employees should take action immediately in order to mitigate any potential risk. Companies like GitHub, Citrix, and LogMeIn, have already proactively reset their customer passwords in order to prevent any malicious actors and a similar action is needed for at-risk employees as well.
How Companies Can Protect Themselves
While data breaches and leaked information pose a high risk to individuals, they pose an even greater risk to companies. Here is what you should do in order to prevent any more consequences to your company due to the LinkedIn data breach.
- Have all employees who created a LinkedIn account prior to 2012 change their password.
- If the email associated with the LinkedIn account is associated with any other accounts, change the associated email if possible. If not, change the password if the two account passwords are identical.
- Have employees remove all corporate emails from any non-essential accounts.
- If it’s not already in place, require two-factor authentication for all employee account.
- Engage in employee awareness warning against the use of corporate emails, simple passwords, and reusing passwords across different platforms and accounts.
Corporate accounts shouldn’t be associated with any accounts that are not necessary for the company. This ensures corporate information on any level is kept at a minimum. The LinkedIn data breach shows us that estimated loss of data can be widely misreported and consequences can result years after an attack is announced. The best thing to do is minimize risk exposure and react quickly.
SecurityScorecard users can see whether their organization’s passwords and other sensitive information, or that of their vendors have been exposed through the ‘Leaked Credentials’ security factor in the platform.