Privacy: The LinkedIn Security Breach

LinkedIn, a business oriented social networking site which was founded in the year 2002, has recently found its way in the headlines for the latest data breach committed by hackers on May17, 2016. This wasn’t the first time it had faced such a breach. On 5th  June, 2012, a  group of hackers managed to get hack 6.5 million user accounts and by the morning of June 6, passwords of such accounts were available online in plain text.  This was followed by an apology by LinkedIn asking its users to immediately change their passwords. The company officials implemented a mandatory password reset for affected users. The internet security experts stated that the passwords were easy to unscramble because of LinkedIn’s failure to use a salt when hashing them, which is considered an insecure practice.

The breach which had affected around 6 Million users was just the tip of the ice berg. According to the latest news, the data that was hacked recently on May 17th, 2016, was advertised on a dark website named Real Deal by someone with the user name peace_of_mind. It offers the hacked data of 167 million accounts for five bitcoins, which at current exchange rates is worth about $2,200. After becoming aware of the data breach, LinkedIn sent out an email stating that they are taking immediate steps to invalidate the passwords of the affected accounts, and they will contact those members to reset their passwords. Further, LinkedIn invalidated the passwords at risk. They also suggested the users to visit their safety centre to ensure they have two-step verification authentication and to use strong passwords in order to keep their accounts as safe as possible. Surprisingly, LinkedIn’s response to the most recent breach is to repeat the same procedure which it had adopted in the original breach, by once again forcing a password reset for only a subset of its users.

This hacking has been attributed to the insufficient security measures which were undertaken by LinkedIn.  The leaked source reveals that most of the passwords which were hacked were extremely common passwords.  According to the leaked source around 2.2 million of the 117 Million passwords which were exposed were easily guessed passwords. The password selling site also claims that passwords were stored in SHA1 with no salting, and this is not what internet standards propose. However, LinkedIn claims that after the breach which took place in 2012, it has added salt to its password hashing function. The site further claims that only 117 million accounts have passwords , while it is suspected that the remaining users have registered using Facebook or similar social media portals. It is pertinent to note that if someone is a LinkedIn user and has not changed his LinkedIn password since 2012, then his password may not be protected with the added salting capabilities making it vulnerable to the attack.

Despite the steps which are being taken, the users of LinkedIn are still under a potential risk. Hackers are reportedly selling the trove of stolen emails and passwords, and even if they no longer work with LinkedIn, the credentials can potentially be used to unlock other popular sites and online services due to password reuse. The users need to be made aware regarding recurring instances of hacking of passwords. Sites like LinkedIn should pay more attention while giving a nod to stronger passwords and must stress on stronger encryption. Ensuring security on the internet demands attention from both the side of service providers and users. Even users should refrain from using the same password for multiple sites. They should also keep changing passwords at regular intervals to avoid unauthorised access to their passwords.  The numbers of passwords which have been leaked makes it apparent that the current security approach of LinkedIn needs a complete overhauling.

Authored by- Sudha Sameeskhya Mohanty

Sources 1, 2,3, 4