igor - Fotolia

Lessons from LinkedIn data breach revelations

There are several important lessons to be learned from revelations about LinkedIn's 2012 data breach, say security experts

This article can also be found in the Premium Editorial Download: Computer Weekly: The password’s the problem – lessons from the LinkedIn breach

When LinkedIn said “some” user details had been compromised in 2012, it was initially thought to be around 6.5 million, but now it seems millions more were affected. What are the lessons to be learned?

Change the password

This has got to be the top lesson coming out of the revelation by Motherboard that a trove of 167 million LinkedIn account details are for sale on the dark web.

The details are on sale for the bitcoin equivalent of around $2,200, with 117 million details including a LinkedIn password and an email address.

The passwords were encrypted or hashed, but only using the SHA1 algorithm without “salting” or random characters being added before hashing, which means the passwords are relatively easy to crack.

LinkedIn has since fixed the problem, but if the data does come from the 2012 breach and users have not changed their password since then, the cracked passwords will still be valid.

The point, however, is that at the time LinkedIn said all affected users had been notified and required to reset their passwords, but it appears that was not the case. Therefore, anyone whose online service provider is known to have been hacked should reset their passwords,even if the service provider does not notify them.

Although LinkedIn advised all users to change their passwords after the 2012 breach was made public, it required a password reset only by those users whose accounts were believed to have been compromised. As a result, 117 million account holders continued to be at risk.

Only now, four years later, is LinkedIn taking steps to invalidate the passwords of those accounts.

In 2012, LinkedIn consistently said “some” passwords were compromised, but never a specific number.

This should have indicated what we now know to be the truth: the organisation simply did not know exactly how many accounts were affected by the breach. Therefore, it is safer for businesses and consumers to assume that any breach means a complete breach.

All encryption is not created equal

As mentioned, LinkedIn’s passwords were encrypted, but the company was still using a relatively weak hashing algorithm. It was also not adding random text to passwords to make it more difficult to reverse engineer the hashed or scrambled versions of the passwords.

Wherever a business or consumer relies on passwords being encrypted, they should ensure that they are salted and hashed using a strong algorithm.

Good breach investigation tools are important

Some security pundits have said it is shocking that LinkedIn was not able to establish the scope of the breach quickly and confidently, adding that this is probably the case for many companies.

“The fact that such a huge number of credentials have been available to hackers for so long is deeply worrying,” said Trent Telford, chief executive officer at secure data sharing firm Covata.

“It is also concerning that LinkedIn underestimated the scale of this breach and points to the need for better investigative tools once a breach happens,” he said.

Use two-factor authentication wherever possible

After the 2012 breach, LinkedIn enabled two-factor authentication (2FA) using mobile phone text messages, and if the 117 million account holders whose passwords were not reset had taken advantage, they would not have been at risk.

In the light of continued escalation of the number and size of data breaches, security experts are advising users to enable 2FA wherever possible as it increases protection significantly in the event of a data breach. Even LinkedIn is encouraging users to enable 2FA.

“Passwords are a relic from a bygone age, and they simply don’t provide adequate protection for the volume of information we all store and access online today,” said Brian Spector, chief executive at distributed cryptography firm MIRACL, formerly known as Certivox.

“Passwords do not scale for users, they do not protect the service itself and they are vulnerable to multiple attacks,” he said.

Change passwords regularly

Because it is impossible to know with absolute certainty that a password has not been compromised, changing passwords regularly ensures that even if a password has been compromised, the exposure to risk will be minimised if users change their passwords regularly.

Some security pundits have said anyone who has failed to change their password in four years deserves to be compromised for ignoring the good practice principle of password rotation. 

Never re-use passwords

The security industry has been saying this for many years, but research indicates that password re-use is still very common.

Creating unique passwords for every online service means that if one is compromised, none of the others are affected. However, the converse is also true. If passwords are re-used and one service is compromised, it means all others where the same password is valid are also at risk.

“While LinkedIn has taken the precaution of invalidating the passwords of the accounts affected, and contacting those members to reset their passwords, the chances are that many will use the same password across multiple online accounts,” said Liviu Itoafa, security researcher at Kaspersky Lab.

“It is important that LinkedIn users take steps to change the password for other online accounts where they have used the same password,” he said.

Email addresses are valuable to hackers

Finally, the latest news about LinkedIn’s 2012 data breach has highlighted the fact that passwords are not necessarily the most valuable type of data or the only valuable type of data that hackers are looking for.

Tod Beardsley, security research manager at Rapid7, said the most valuable data in the LinkedIn compromise may not be the passwords at all, but the enormous registry of email addresses connected to working professionals.

“Spammers rely on accurate, active email addresses to target, and the low price tag of 5 bitcoins is likely to generate significant interest from today’s spam industry.

“While people’s passwords can and should change routinely, email addresses and usernames persist for years without easy mechanisms to change them,” he said.

Read more about password security

  • A report of a cache of millions of stolen webmail credentials could finally drive more widespread adoption of two-factor authentication (2FA) say security experts.
  • Here are five steps to ensure stronger passwords and better authentication to reduce the threat of business data theft.
  • Yahoo Account Key uses push notifications to provide a fast and secure way to access Yahoo accounts from a mobile device.
  • The Fido Alliance takes another step closer to defining a standard web-based API, as industry support for its password-killing standards gains momentum.

Read more on Privacy and data protection

Data Center
Data Management