LinkedIn Hack: Why Breach Is A Wake-Up Call For Users - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity

LinkedIn Hack: Why Breach Is A Wake-Up Call For Users

The 2012 LinkedIn security breach is far worse than previously reported. Now reports say that hackers are trying to sell information for more than 117 million accounts, which should have people who use the same password on multiple sites worried.

10 Stupid Moves That Threaten Your Company's Security
10 Stupid Moves That Threaten Your Company's Security
(Click image for larger view and slideshow.)

LinkedIn announced on Wednesday that the scope of its 2012 security breach has expanded to include more than 100 million impacted users, which is more than 15 times greater than previously thought. Now reports are surfacing that say information from those accounts are up for sale on the Web -- something security experts say should alarm those who use the same usernames and passwords on multiple sites.

"If a user registers the same passwords on multiple sites, then the problem is magnified far beyond LinkedIn," Morey Haber, vice president of technology for BeyondTrust, told InformationWeek. "If the email address is known too, as in this data breach, the odds are they are using the same address with Facebook or similar sites. Thus, not only can a hacker own LinkedIn, but potentially any other common site that the same email address and password are used [for] too."

Haber added the worst case scenario would be if a users' actual email address uses the same password that is used for the LinkedIn site. "Then it's game over for everything from bank accounts to blunt identity theft," Haber said.

(Image: hocus-focus/iStockphoto)

(Image: hocus-focus/iStockphoto)

How do cybercriminals know which other sites to test with your LinkedIn email address and password? There are multiple avenues they try.

"Cyberattacks use statistics to test account credentials and basic demographics of an email account to determine what to attack," said Haber, pointing out these examples:

  • If you have a LinkedIn account, you probably have a Facebook account, but not necessarily vice versa.
  • If your email address is based on a financial domain name like Bank of America, or Chase, then odds are, you bank at the same location as that of your employment.
  • If your email address ends with a regional designator like @cfl.rr.com, then you are likely to live in central Florida, and there are only two power companies that you can get an electric bill from.

"All it takes is a little investigation and intuition to figure out a ton of information about a person's demographics and what a successful attack could look like," Haber warned.

Although the hackers were able to match 117 million emails to encrypted LinkedIn passwords, it came from a pool of 167 million LinkedIn accounts, according to a report in Motherboard. According to Krebs on Security, the paid hacked data search engine site LeakedSource said the remaining LinkedIn users likely accessed the networking site via their Facebook account or another account with authorization credentials tied to LinkedIn.

[See 7 Ways Cloud Computing Propels IT Security.]

Users may not realize these linked authorizations, while convenient, is a risky move.

"Using Facebook, Google+, or any other Internet based authentication mechanism that shares identities to authenticate you is a high-risk poker game," Haber said. "Once one site is compromised, the rest are all exposed without even knowing the password."

With LinkedIn providing a wake-up call to users on the need to change their password for its particular site, the same can be said for doing likewise with any sites that are linked to the social networking site.

"Every website should have a unique password, such that a breach in one does not potentially expose another site. In addition, I personally recommend multiple email addresses for user -- three at a minimum. One should be for business, one for sensitive information like bank accounts, and finally one for all social activities. This helps filter potential phishing scams, etc. For example, your bank will never send you an email to your social email account, and a friend will never send you a love letter to your bank email address," Haber advised.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Moderator
5/20/2016 | 10:26:07 AM
Web Site ID/pwd mangement
"...multiple email addresses for user -- three at a minimum"

This is something I identify with.  I currently keep about 10 email accounts active for various uses.  I even have a junk email account I rarely check for the web sites that must know my email and which I would only visit this one time.

The advice of telling users to keep different passwords for different web sites is simply lousy.  Between my various accounts, I have around 500 web sites that want an ID/password.  There is no way I would remember all of them, nor would I care if most of them were hacked.  The password manager I do use to keep track of more important ID/passwords does not interface with browsers.  The idea of allowing an all-important master password running around the net encrypted or otherwise doesn't sit well with me.

I also have profound disappointments of how OpenID technology turned out.  OpenID is integrated into most services like Yahoo, Google or Facebook.  There are no more independent companies that could just be the arbiters for the ID/profile information without ceding data access control to the likes of Facebook, Google, or LinkedIn as the web site in question.  Until there are platforms for consumers/ internet users to become the guardians of their data, we will continue to have this hodgepodge of user data/password security problem.

 
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
5/19/2016 | 10:30:36 PM
annoying
Not sure about anyone else, but this "latest" breach just annoys me. One, because I am an avid LinkedIn user. But two, because it is not new. It's an old breach, and the fact that it's making news years later because no one realized the scope of it seems negligent at best on the part of LinkedIn. At a certain point, should companies be punished for this sort of stuff?
paulno
50%
50%
paulno,
User Rank: Strategist
5/19/2016 | 5:48:59 PM
Don't forget it
That's a good proof no website is sheltered from hackers so the only solution is to chose single and different passwords on each website you register. Or not only you'll lose the hacked account but you'll also get all your other accounts stolen as well. Internet is real life, thanks for this article to remind us in details even famous websites are not safes.
Slideshows
10 RPA Vendors to Watch
Jessica Davis, Senior Editor, Enterprise Apps,  8/20/2019
Commentary
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
Slideshows
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll