Update: 117 million LinkedIn email credentials found for sale on the dark web
The 117 million credentials come from a larger 167 million data dump of accounts that were supposedly grabbed when LinkedIn was breached in 2012.
The 2012 LinkedIn data breach may be the breach that just keeps on giving with the news that 117 million customer email credentials originating from that hack were found for sale on the dark web prompting the professional social network to invalidate the account passwords.
The initial story came from Motherboard, which reported it was contacted by someone going by the name “Peace” who said he was selling the data set on an illegal market place called The Real Deal for 5 Bitcoins, or about $2,200. The 117 million credentials come from a larger 167 million data dump of accounts that were supposedly grabbed when LinkedIn was breached in 2012.
“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,” Cory Scott, LinkedIn CIO, said in a blog post, adding the customers impacted will be contacted.
At the time of the 2012 incident, which was believed to have impacted about 6 million accounts, LinkedIn required a mandatory password reset for the accounts it believed were compromised.
Amit Ashbel, Checkmarx director of product marketing and cyber security evangelist, said LinkedIn's poor handling of its customer's data four years ago lead directly to today's situation.
“LinkedIn could have definitely prevented the impact of this breach four years ago if they were using strong encryption techniques. That might not have prevented the breach itself but the data would be of much less use,” he told SCMagazine.com in an email.
The data up for sale did not include payment card information or Social Security numbers, but even email addresses can have value to a criminal, particularly one willing to put in the time and effort to tie these data points to others that can be found on the web.
“The most valuable data in the LinkedIn compromise may not be the passwords at all, but the enormous registry of email addresses connected to working professionals. Spammers rely on accurate, active email addresses to target, and the low price tag of 5 Bitcoin (approximately $2200) is likely to generate significant interest from today's spam industry,” Rapid7's Tod Beardsley, security research manager, told SCMagazine.com in an email.
Adam Levin, chairman and founder of IDT911, said users are also to blame for making something as innocuous as an email password so valuable.
“Email address and passwords are at the foundation of our digital identities, as they typically contain a name and/or number significant to you, such as your birthday or address. These become tiny breadcrumbs that hackers can piece together to access even more sensitive information,” he said, adding that the public's general refusal to come up with new passwords means one can be used to hack into multiple accounts.
Making a bad situation worse for LinkedIn and its customer base is that even this latest revelation may not be the end of the story that started with the 2012 data breach. Ashbel noted that it is a common practice among hackers to hold back some information from a hack, sort of like using the data to create an annuity for the criminal.
“The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder,” he said.
UPDATE: LinkedIn sent a Notice of Data Breach to its users on May 26 which detailed the incident.
“On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online,” the notice said.
Member email addresses, hashed passwords, and member IDs from 2012, were compromised the notice said.
LinkedIn said in the notice the incident was not the result of a new breach or hack and that it took immediate action to invalidate the passwords of the accounts believed to be at risk. The firm is also using automated tools to attempt to identify and block suspicious activity on user accounts.