LinkedIn announced on Wednesday that the scope of its 2012 security breach has expanded to include more than 100 million impacted users, which is more than 15 times greater than previously thought. Now reports are surfacing that say information from those accounts are up for sale on the Web -- something security experts say should alarm those who use the same usernames and passwords on multiple sites.
"If a user registers the same passwords on multiple sites, then the problem is magnified far beyond LinkedIn," Morey Haber, vice president of technology for BeyondTrust, told InformationWeek. "If the email address is known too, as in this data breach, the odds are they are using the same address with Facebook or similar sites. Thus, not only can a hacker own LinkedIn, but potentially any other common site that the same email address and password are used [for] too."
Haber added the worst case scenario would be if a users' actual email address uses the same password that is used for the LinkedIn site. "Then it's game over for everything from bank accounts to blunt identity theft," Haber said.
How do cybercriminals know which other sites to test with your LinkedIn email address and password? There are multiple avenues they try.
"Cyberattacks use statistics to test account credentials and basic demographics of an email account to determine what to attack," said Haber, pointing out these examples:
- If you have a LinkedIn account, you probably have a Facebook account, but not necessarily vice versa.
- If your email address is based on a financial domain name like Bank of America, or Chase, then odds are, you bank at the same location as that of your employment.
- If your email address ends with a regional designator like @cfl.rr.com, then you are likely to live in central Florida, and there are only two power companies that you can get an electric bill from.
"All it takes is a little investigation and intuition to figure out a ton of information about a person's demographics and what a successful attack could look like," Haber warned.
Although the hackers were able to match 117 million emails to encrypted LinkedIn passwords, it came from a pool of 167 million LinkedIn accounts, according to a report in Motherboard. According to Krebs on Security, the paid hacked data search engine site LeakedSource said the remaining LinkedIn users likely accessed the networking site via their Facebook account or another account with authorization credentials tied to LinkedIn.
Users may not realize these linked authorizations, while convenient, is a risky move.
"Using Facebook, Google+, or any other Internet based authentication mechanism that shares identities to authenticate you is a high-risk poker game," Haber said. "Once one site is compromised, the rest are all exposed without even knowing the password."
With LinkedIn providing a wake-up call to users on the need to change their password for its particular site, the same can be said for doing likewise with any sites that are linked to the social networking site.
"Every website should have a unique password, such that a breach in one does not potentially expose another site. In addition, I personally recommend multiple email addresses for user -- three at a minimum. One should be for business, one for sensitive information like bank accounts, and finally one for all social activities. This helps filter potential phishing scams, etc. For example, your bank will never send you an email to your social email account, and a friend will never send you a love letter to your bank email address," Haber advised.