LinkedIn leak + 5 security tips to stay safe

Written by: Gerard Gerard
Blog

In the era of the information, security breaches are happening every day, from small companies websites to big ones like Adobe, Snapchat, Avast and today LinkedIn.

What happened?

LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site now, 4 years later. Let us give you an update about this  LinkedIn data breach and some security tips to stay safe.

2012

Back on June 2012, some Russians hacked the social network LinkedIn, compromising 6.5M passwords. The passwords, which were hashed using SHA1 (an outdated algorithm), were cracked and posted on a Russian forum later on that day. After the incident, the website repeatedly encouraged its users to change their password, and they said it was unable to determine whether the email addresses were stolen as well.

linkedinstatus
Source: https://twitter.com/linkedin/status/210390233076875264

2016

Now, back in May 2016, a leak of 167M accounts, including emails and passwords, was being sold on a dark web illegal marketplace, for 5 bitcoins (around €2.000), affirming that the data was stolen during the breach of 2012. LinkedIn confirmed that the new data is legitimate.

linkedin-sold
Leak being sold on a dark web marketplace. Source: Troy Hunt blog

The passwords

As we mentioned, LinkedIn was storing the users passwords in SHA1 (outdated algorithm), without being salted. That makes things easier for the attackers, since that cryptographic algorithm is considered dangerously weak, and the leak of salts allows the use of pre-computed tables for password cracking. In the first 24 hours just after the leak, professional password crackers had 85.5% of the hashed passwords cracked.

linkedin-statusJeremi
Source: https://twitter.com/jmgosney/status/733614448921870338

And as on every leak, most of the accounts have weak passwords. In this case, 1.1M of the accounts were using 123456 as password.

Stay safe - 5 security tips

It's impossible to stay safe out there, but we can try to make it harder for the attackers when a leak comes out. These are our security tips.

Tip #1. Strong passwords

Strong passwords are difficult to crack by the attackers. Passwords length is more important than using combination of weird characters on it. For example, $2esd+BU password can be cracked in 9 hours, but fight grill alphabetic drama will take substantially longer time to break and it is easier to remember.

passwords

Source: https://xkcd.com/936/

Tip #2. Unique passwords

Never ever repeat a password on 2 different websites. Whenever you create an account on a website, you don't know how data is stored, how the passwords are encrypted / hashed (if they are), how secure the company and the website are... So it's a matter of time that website get's hacked. Once that happens, all your data will be compromised and probably your password will be cracked (if needed).

That possible working passwords will be matched against your other accounts by the attackers, such as your email account, social networks or even work related accounts. If the password used is unique, the attacker will not be able to login to any of your other accounts.

Tip #3. Password manager

To make the previous point possible, a password manager is your best option. It will help storing all your passwords in a organised way, and it's useful when generating new ones. KeePass (KeePassX for OS X) and 1Password are widely recommended. Remember to set a secure master key and don't use it anywhere.

Tip #4. Two factor authentication

Enable two factor authentication when possible, especially on your critical accounts, such as your primary email account. This will force new devices to require (for example) a PIN number sent to your phone on their first login. Attackers will need access to your phone to be able to login.

Tip #5. Be aware of leaks

Services such as https://haveibeenpwned.com/ will help notifying you whenever one of your email accounts appears on previous and further leaks. You can check here if any of your emails / accounts has been exposed in any major data breach.

Find more about the LinkedIn data breach on te following sources used for this blog: