Accounts data leaked from 167 million LinkedIn’s users: Change your password!!
Accounts data leaked !!!
Millions of LinkedIn users are receiving a service email with directions for immediate password change. The reason? LinkedIn’s accounts data leaked. That would have happened in July 2012 and that may have affected 167 million accounts.
LinkedIn acknowledges that in 2012, its servers were hacked, resulting in leakage of passwords. At the time, the reaction was as expected: the accounts involved – an estimated 6.5 million – had to go through a password reset. In addition, the company issued notices to advise others to do the same as a precautionary measure.
This week, LinkedIn found that the problem did not end there: a member of a darknet called TheRealDeal put on sale a package to access data 117 million LinkedIn accounts obtained in casting 2012. The price? 5 bitcoins (US $ 2.2 billion, approximately).
The number of affected accounts may be greater. The LeakedSource, a site that describes itself as a service that helps the user to find out if their private information is available on the Internet, claims to have had access to data 167 370 910 accounts.
According to LinkedIn, no other major invasion was recorded in the service, so it is virtually certain that the data in these accounts have been obtained even in the leakage 2012.
If the number of accounts is so broad so, why only now the data were made available? One of those responsible for LeakedSource explained to the motherboard that probably the data were all this time under the control of a small Russian group. It is possible that access to the package has been well controlled to avoid fanfare, which would make many passwords be changed quickly.
From what you know, passwords themselves were encrypted, but without the application of “salt”, key derivation technique that helps protect the combination of certain types of attack. Because of this, people with knowledge on the subject do not face difficulties identifying passwords.
Therefore, LinkedIn had no choice: from Wednesday (18) service users are receiving an e-mail to exchange passwords. As reinforcement, the service is progressively invalidating passwords for all accounts created by 2012. The same has been done for the accounts which have not been updated since that year.
As expected, LinkedIn has been questioned by security experts for failing to take measures more comprehensive compared to 2012. For Brad Taylor, CEO of Proficio security company, a well-executed forensic analysis could have given a clearer idea of the scope of the problem. The company defends himself by saying, for example, that improved the encryption of passwords and implemented the authentication option in two steps.
But as the damage is done, it does everything possible to protect: the trick is to change your password on LinkedIn as soon as possible, even if your account has not been notified.