Millions of LinkedIn Passwords Hacked and Sold on Black Market

By Eowyn @DrEowyn

I’m a paid member of LifeLock. This afternoon, I received an email alert from LifeLock that “LifeLock detected a piece of your personal information” — my email address — “being sold online.”

The alert said my email address was found on “social media,” specifically the “potential impacted site” of http://www.linkedin.com — the website of LinkedIn, the social networking site for professionals and business people.

Fortunately, the personal data that was breached is one of my email addresses. LifeLock warns that “If your debit card, credit card, bank account numbers or PINs appear in this alert, change all accounts sharing the login name and password, and contact the corresponding financial institutions immediately. We recommend you use different logins and passwords for each account; this will minimize the scope of your potential risk.”

After freaking out for a few seconds, I got to work.

First, I went on the net to search for LinkedIn having been hacked. This is what I found.

Jose Pagliery reports for CNN Money that four years ago, in 2012, LinkedIn was hacked, resulting in, we were told, the theft of 6.5 million passwords.

Companies typically protect customer passwords by encrypting them. But LinkedIn was hacked because in 2012, the company had a rather lackadaisical security policy that eschewed adding a pivotal layer of security that would have made the encrypted jumbled text harder to decode.

The massive hack led computer security experts to wonder why it took so long for LinkedIn to figure out what happened to their own company computers, and to acknowledge it publicly. Brad Taylor, CEO of cybersecurity firm Proficio, asked: “If LinkedIn is only now discovering the scale of data that was exfiltrated from their systems, what went wrong with the forensic analysis that should have discovered this?”

It gets worse.

It turns out that the number of passwords stolen was way more than 6.5 million. In actuality, 117 million LinkedIn passwords were stolen by hackers.

Then it gets really really bad.

According to the tech news site Motherboard, on May 18, 2016, LinkedIn acknowledged that a massive batch of login credentials is being sold by hackers on an online black market called “The Real Deal”.

Worst still is this: Since we tend to reuse our passwords, the hackers who have the 117 million LinkedIn passwords are more likely to gain access to those 117 million people’s email and bank accounts as well.

Put on the defensive, LinkedIn’s chief information security officer Cory Scott said, “We take the safety and security of our members’ accounts seriously,” blah blah blah. The company is now scrambling to try to stop people from sharing the stolen goods online — often an impractical task — as well as invalidating all customer passwords that haven’t been updated since they were stolen 4 years ago.

LinkedIn also said it’s reaching out to individual members affected by the breach, but I’ve received no notification from LinkedIn. If it wasn’t for LifeLock, I would not know that my email address was hacked and is being sold on the black market.

If you are a member of LinkedIn, you should:

  1. Change your password.
  2. Add two-factor authentication, which requires a text message every time you sign in from a new computer.
  3. Here’s my advice: If you use your LinkedIn password on other accounts, change those passwords as well, especially for bank and other financial accounts, such as PayPal. I spent several hours this afternoon doing just that. I also closed my LinkedIn account.

~Eowyn