Security experts time and again will recommend that users change their passwords regularly. That’s advice that 100 million LinkedIn users hopefully took to heart, as hackers are now selling user information from a breach the social network first disclosed nearly two years ago.
Back in June 2012, LinkedIn reported a breach of its system that it claimed only impacted 6.5 million user passwords.
However, as many as 100 million LinkedIn members’ passwords were potentially stolen in the 2012 breach, Cory Scott, director of information security at LinkedIn, revealed May 18.
“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,” Scott wrote in a blog post. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords.”
The passwords that hackers are selling are not the result of a new security breach, Scott said. In a video interview with eWEEK in August 2015, Scott detailed how LinkedIn manages security for its members. It’s a system that proactively will reset user passwords if credentials show up in a data dump. LinkedIn also provides users with optional two-factor authentication technology that would further minimize the potential impact of a breach.
Additionally, LinkedIn makes it difficult for any potential attacker to immediately benefit from a breach’s credentials. LinkedIn uses both hashing as well as “salt” techniques to encrypt user passwords in its database making them largely unusable for attackers.
Hashing is a mathematical function that transforms characters into a mixed value or “hash'” while a “salt” is a random data element that is included in a hash to make it more secure. By hashing a password, it is not immediately available to an attacker, in the same way that a plain text (non-hashed) password would be.
Although LinkedIn has taken steps to protect users, there is still potential risk.
“The resurgence of the 2012 LinkedIn hack does not come as a surprise, and more importantly, it highlights the breadth of illegal opportunities cyber-criminals have at their disposal when they get their hands on personal data, even if just email addresses and potential passwords,” Orlando Scott-Cowley, cyber-security strategist at Mimecast, wrote in an email to eWEEK.
The value of an email address was also highlighted by Tod Beardsley, security research manager at Rapid7. The most valuable data in the LinkedIn compromise may not be the passwords at all, but the enormous registry of email addresses connected to working professionals, he said. “While people’s passwords can and should change routinely, email addresses and usernames persist for years without easy mechanisms to change them.”
The risk from email alone is also one that Tony Anscome, AVG senior security evangelist, warns about. As a best practice following a security breach, Asncome recommends that people avoid using the same email address or profile name across multiple online accounts.
Anscome suggests that users have a primary email address that is set aside exclusively for recovery of forgotten passwords and account information. A second email account could be used just for retail transactions, while a third is reserved for financial accounts and sensitive information, he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.