In early June 2012, an unidentified hacker accessed millions of passwords from LinkedIn’s and eHarmony’s secure network. Although LinkedIn boasted more than 160MM members at the time, the hacker only accessed a small percentage of accounts. In total, after hacking both LinkedIn and eHarmony, the hacker released only 8MM passwords.
Linked initially claimed that they were “unable to confirm” if a breach had actually occurred, but ultimately relented on June 6th and officially announced that the company suffered a major security breach. On June 7, LinkedIn revealed that the previous reports from security expert sources were in fact correct and that the company’s network had been compromised by cybercriminals who gained unauthorized access to millions of hashed LinkedIn passwords.
A list of the LinkedIn passwords was posted online on underground black market forums where the LinkedIn cyber thieves asked others to help them crack the stolen hashed passwords. Reportedly, as of Thursday, June 7, 2012 approximately sixty percent of the passwords had been unscrambled, it is expected that as many as 95 percent of the passwords were ultimately decoded.
LinkedIn’s response to the breach was to disable the passwords of the accounts that were publicly listed and decoded on the black market, and as a precautionary step, disable any at risk accounts. LinkedIn then notified the members whose accounts were affected with instructions on how they could reset their passwords.
The LinkedIn blog post also informed members that the incident was under continuing investigation and that law enforcement was brought in to investigate as well. A spokeswoman for LinkedIn stated that the company had enhanced their security protocols and added an additional layer of security known as salting to their password storage to “better secure your information.”
In closing their blog statement LinkedIn posted the following:
We are working hard to protect you, but there are also steps that you can take to protect yourself, such as:
- Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.
- To take advantage of our enhanced security measures, change your password now by clicking here.
- Do not use the same password for multiple sites or accounts.
- Create a strong password for your account, one that includes letters, numbers, and other characters.
- Watch out for phishing emails and spam emails requesting personal or sensitive information.
Our efforts to protect LinkedIn members impacted by this incident are ongoing and we will continue to keep you posted here.
Unfortunately the posting of LinkedIn member’s passwords was not the end of this cyber nightmare. Since the breach occurred, many members’ accounts were overtaken by cyber criminals and used for mass spamming and phishing scams.
Links For Consumers Affected: