Well, look what suddenly reappeared. The Linkedin breach from 2012. Wow. I actually thought that was sort of left to the history books now, with no additional news or stories to tell. I was wrong.
Linkedin got hacked. Korelogic (@CrackMeIfYouCan) was the first to report something was going on. I became the guy who managed to confirm the “6.5 million users” leak was real, after finding a reliable source who confirmed his/her recently updated random Linkedin password in the SHA-1 hashes in the dump. The story made the news, and the story went global.
As part of my ongoing research into passwords, the Linkedin data showed us quite a few interesting fact about colors in passwords. To close it off, Jeremi Gosney (@jmgosney) wrote The Final Word on the LinkedIn Leak. And then we thought that was it. Done. Moving on please.
Where did all the hackers go?
I have to admit that I spoke with Dan Goodin @arstechnica about the leaked data, and something that baffled at least me. Where did all the hackers go?
The leak was out, and although it only contained unique SHA-1 hashes (=unique passwords), they could still serve as input for online password guessing against accounts across multiple services. Because people reuse passwords across multiple services. Trust me, or check out HaveIBeenPwned.com from Troy Hunt.
However we didn’t see or hear about any high-profile account takeovers.
Temporary conclusion at the time: “if you suddenly hit jackpot and got access to millions of accounts but were not prepared for it, how could you possibly abuse as many of them as possible before they get disabled or have their passwords changed?”.
Handling the incident
I was never impressed with the way Linkedin handled the incident.
On the contrary, I was closer to shocked.
They didn’t respond in any channel. When people logged on to change their password and got news stories about Linkedin being hacked, there was no mandatory or even “For security reasons we encourage you to change your password now”.
I waited days before my password reset email finally came through. DAYS.
How long would you expect to wait before your credit card provider notified and cancelled your card after they knew it had been compromised? From my perspective it didn’t look like they were prepared for something like this to happen.
To the defense of Linkedin: most organisations are not prepared for incidents like this. They really should be more prepared, and they should practice often.
Lawsuits came, at least one succeeded. As far as I remember it wasn’t even peanuts, and only applicable to paid (=premium) account holders.
One of the fascinating things about the breach back in 2012 is that 6.5 million compromised accounts became the official number of compromised users. That number was actually number of unique unsalted SHA-1 hashes. Some of those were mangled, so the real number was a bit lower. However 6.5 million users were far from the truth.
As we know now, it looks like their entire user database at the time were breached. Joseph Bonneau, at the time a PhD student at Cambridge, wrote on his blog “…so we might project that the LinkedIn leak represents closer to 12.5 million users if the password distributions are similar”.
Based on this guesstimate alone, I’m curious on how many accounts Linkedin actually initiated password resets for, and I’m curious if they kept any password history at the time to prevent users from reusing old passwords. Because in my experience even a breach notification won’t make people choose a completely different password. As we all know.
Fast forward to 2016
Motherboard breaks the news, the complete dump from 2016 seem to be up for sale. The rat race begins; comments, expert analysis, sample dump analysis, “who has the complete dump available? anyone? link? Plz?”.
The infosec world has a taste for blood, just like most others. Oh yes, so do I, but I really try to live by a certain ethics code. Oh, and you should read how Troy Hunt verifies data breaches. A good read!
I think shareholders in major service providers expect this as a mandatory move for damage control. They really should learn more about how the internet works. Anyway, the data is out. Nobody can DMCA them offline, period.
2012 happens – in 2016
The past called, and wanted to come visit. The complete dump is up for sale.
Linkedin responds, and they have a statement and update on their official blog.
I am fascinated about official statements when something has gone FUBAR. Having worked for the largest IT outsourcing & financial services provider in Norway, as well as helping out quite a few customers other places, I think I know a bit about “reading between the lines”.
In the case of Linkedin in 2016, I was baffled. Again. Let me add comments to their statements from their official blog:
“At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure.”
Did they download the 6.5 million leak and use that to figure out who they thought were compromised? I honestly have to say that I would have initiated a forced password reset of those 6.5 million accounts/hashes FIRST, and then for security’s sake, the remaining 115 million-or-so accounts after that.
Changing the password hashing algorithm used for storing passwords would also be done quickly. With or without password history, as CISO of Linkedin I would probably have cracked the users’ passwords myself, to properly evaluate my current risk exposure. Yes, I think any organisation should attempt cracking their own passwords.
“We have begun to invalidate passwords for all accounts created prior to the 2012 breach that haven’t updated their password since that breach.”
Let me repeat from above: and then for security’s sake, the remaining 115 million-or-so accounts after that. Its not admitting everything was compromised. It is common sense in my opinion. Assume the worst and act accordingly, right?
“However, regularly changing your password is always a good idea and you don’t have to wait for the notification”
NO, IT IS NOT. On the contrary, mandatory or even voluntarily changing your passwords manually on a regular basis will make most users create passwords based on very simple patterns. Very predictable patterns. Very predictable to hackers. Without adding much, if any real value to security for Linkedin or their users. It will just make things less usable, less secure and more annoying.
What you should do:
Having said that, Linkedin introduced 2-step verification using SMS. Although not something to be considered secure against a determined hacker in a targeted attack, it is much better than nothing.
What Linkedin really should do is to promote its existence better, and stop this nonsense about regular password change. That really doesn’t work anymore.
Personally I recommend two-step verification as a good tradeoff between security and usability for most applications. I’ll even admit that a single password might not be enough in all cases. So go ahead and configure 2FA wherever you can.
And somebody please ask Linkedin why the official statement blog post doesn’t appear on the official blog post frontpage?
Because trying to hide the fact they got compromised is a dead end.
This article, by guest contributor Per Thorsheim, was originally published on the GodPraksis blog.