LinkedIn was hacked way back in 2012, but the leak of passwords four years ago wasn't the end of the story. Another 117 million have turned up, and many of those old passwords still seem to be valid.
But surely, I hear you ask, LinkedIn invalidated those old passwords in 2012? Nope. That turns out not to be the case -- LinkedIn only forced a reset of the 6.5 million leaked ones, for fear of inconveniencing the other users.
Initially, LinkedIn's response this time was the same. But thankfully, saner heads prevailed and the company's finally doing the right thing.
In IT Blogwatch, bloggers also consider changing their email addresses. Your humble blogwatcher curated these bloggy bits for your entertainment.
What’s the craic? Lorenzo Franceschi-Bicchierai sounds bored, mother—Another Day, Another Hack:
A hacker is trying to sell the...emails and passwords, of 117 million LinkedIn users. ... The hacker, who goes by the name “Peace,” [said] the data was stolen during the LinkedIn breach of 2012.
LinkedIn never clarified how many users were affected. ... LinkedIn spokesperson Hani Durzy [said] “We don’t know how much was taken.”
For LinkedIn, the lesson is...don’t store passwords in an insecure way. ... For LinkedIn users, if you didn’t...change your password four years ago, change it [now]. Use two-factor authentication and...strong passwords.
Stored insecurely, you say? Sarah Perez reports the leak of 117 million LinkedIn emails and passwords:
Another data set from the  hack [has] been released. ... Hackers broke into LinkedIn [and] stole some [hashed] passwords. ... Because the passwords were...unsalted...hundreds of thousands were quickly cracked.
LinkedIn says that it has increased its security measures...since the breach. ... But this hack was from...before these protections were in place.
Time for an update from LinkedIn's CIO. That would be Cory Scott, who'd like to assure you they're Protecting Our Members:
In 2012, LinkedIn was the victim of an unauthorized access. ... At the time, our immediate response included a mandatory password reset for...accounts we believed were compromised. ... We advised all [other] members of LinkedIn to change their passwords.
Yesterday, we became aware of an additional set of data...from that same theft. ... We are taking immediate steps. ... We have begun to invalidate passwords for all accounts...that haven’t updated their password since...the 2012 breach.
But why didn't LinkedIn do this three years ago? Brian Krebs recycles that criticism and more: [You're fired -Ed.]
[In 2012] LinkedIn responded by forcing a password reset on all 6.5 million of the [leaked] accounts, but it stopped there. ... Inexplicably, LinkedIn’s [initial] response to the most recent [leak] is to repeat the mistake...forcing a password reset for only a subset of its users.
LinkedIn spokesman Hani Durzy...said “We did at the time what we thought was in the best interest of [all members], trying to balance security [with] not disrupting the LinkedIn experience for those who didn’t appear impacted.”
For the avoidance of doubt, since Brian published his post, LinkedIn announced they would indeed be resetting all old passwords. John Leyden jars us awake—Dark net LinkedIn sale looks like the real deal:
A hacker is attempting to sell 117 million LinkedIn users' emails and passwords. ... Logins are for sale on at least two...websites at prices of 5 BTC [$2,250].
Tod Beardsley [with] Metasploit, commented:.."The most valuable data...may not be the passwords at all, but the enormous registry of email addresses. ... Spammers rely on accurate, active email addresses to target, and the low price tag...is likely to generate significant interest."
PSA: Also consider changing your LinkedIn email address. To do that, follow these steps:
- Go to linkedin.com/psettings/email
- Add the new email address
- Confirm it, using the email message LinkedIn sends you
- Go to linkedin.com/psettings/email again and click Make primary for the new address
- Optionally, click Remove on the old address
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or firstname.lastname@example.org.
Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.