Cybersecurity experts from Network Box USA, Proficio and Securonix commented on news that a 2012 breach of LinkedIn member information was much larger than originally reported, and that the data is available for purchase online.
Pierluigi Stella, CTO, Network Box USA (www.networkboxusa.com):
“This is interesting. First of all, I never realized LinkedIn had so many users. Aside from that, this news goes along with what I mentioned in a previous interview about data breaches. Many companies claim they’re able to detect a data breach immediately or reasonably quickly. In fact, that survey actually cited large corporations stating that they’d know right away. These companies are either delusional or living in a different world.
The sheer idea of hacking and stealing data is based on being stealth and hackers are really good at that. Well, here’s proof that my opinion was correct. I’m inclined to believe LinkedIn genuinely might not have known the extent of the breach. I mean, why would they admit to it and say they lost ‘only’ 6 million passwords? The damage is the same whether they admit to 6 or to 116. Everyone on LinkedIn should’ve changed their password by now. Everyone received a notification of the breach and if someone still hasn’t change their password, their account should be locked and deleted.
LinkedIn is a business platform, it’s not Facebook. All users of LinkedIn should be well aware of issues such as this, know how to behave, and when to change their passwords. If I recall correctly at the time, we heard some passwords were as simple as the widely used 12345. Although I find it hard to believe because LinkedIn does have password rules and you can’t really set up simple strings as passwords, this still goes to show that some people never learn. On the other hand though, what perplexes me is why hackers would sit on this data for 4 years. Four years later, that information is likely stale; and again, if it isn’t, if someone hasn’t changed their password, they should have had their account locked.
I really have zero tolerance, zero mercy for such behavior.
This is 2016, and we all know how easy it is to be hacked. We all need to adopt a proper and secure behavior.
People, change your passwords!! So that huge database will be completely obsolete!”
Brad Taylor, CEO, Proficio (www.proficio.com):
“The revelation of the magnitude of this breach is very disturbing. First, has LinkedIn been fully transparent with it users? Hopefully, users changed their passwords on the initial disclosure, but in the light of this news a stronger response should have ensued.
Second, if LinkedIn is only now discovering the scale of data that was exfiltrated from their systems, what went wrong with the forensic analysis that should have discovered this?
Lastly, anyone still using an old LinkedIn password for banking, business, or person use, should change their password immediately.”
Igor Baikalov, chief scientist at Securonix (www.securonix.com):
“Disappointing approach to security and response to the breach from LinkedIn. Passwords hashed with no salt, and then hashes padded with random numbers for security? What is it – a high school project on cryptography back in 1995? No wonder 90% of these passwords were crackedwithin 72 hours.
Not acknowledging the full extent of the breach because “We don’t know how much was taken,” four years later? No indication that accounts were monitored for anomalous activity? With 2/3 of all accounts compromised back in 2012, it’s not enough to recommend strong authentication. LinkedIn should have strongly encouraged (i.e., forced) enrollment into two-step verification, and used it as a step-up authentication whenever user behavior looked suspicious, such as accessing the site from unusual location or unknown device – common practice for over 10 years.
I’m not convinced that this stockpile of credentials was sitting idle for four years somewhere in a dusty Russian closet. Considering that at least 6.5 million passwords posted online in 2012 were cracked in one day, it’s too good of data to sit on. They’ve most likely been used in some targeted attacks already, and will continue to be used on a massive scale now that the news of the breach is out. Getting your LinkedIn account hijacked is the least of your problems. Having your financial or email accounts hacked – because you reused either the whole password or its composition pattern – is a lot more painful.
Spend some time now to secure your digital assets (to protect the physical ones):
– Check your email address and login name on https://haveibeenpwned.com/ to see if it has been compromised in any of the known data breaches.
– Add enhanced security option to your critical accounts, such as step-up authentication on suspicious activity (challenge questions or one-time access code), registered device, etc. If you provider doesn’t offer any, find another one that does.
– Invest in a good password manager with redundant backups; use a very long (but something you can remember) master passphrase; add biometric protection and create a strong password for every account.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.