You hear about hacks daily and generally it doesn’t affect you so you ignore it right? Well, it seems that this is one that you might want to take notice of. The business social networking site LinkedIn was hacked in 2012 with 6.5 million people’s credentials posted online. LinkedIn never actually confirmed at the time how many accounts they thought had been compromised but the advice at the time was to change your password.
It has now come to light that more than 100 Million accounts have been compromised by hacker going by the name of “Peace” that managed to find access in 2012. The passwords have been checked by some independents and been confirmed as legitimate.
Is the story reliable?
The original news was brought to light by motherboard and the site leakedsource.com have obtained a copy of the database. LeakedSource contacted 3 members from the hacked database and these users confirmed that their details were correct.
The database was encrypted using SHA1 but the SHA1 details were not salted. Salting basically adds random characters to the end of a hash to make the file very difficult (not impossible) to reverse engineer.
So what does this mean to you?
It’s quite simple really. From my experience working in IT, you have probably used your LinkedIn password for many different accounts. A lot of the other accounts that you have like email address, website etc. will be visible on LinkedIn already so the first step is to change your password on the LinkedIn site. Then you need to ask yourself if this password has been used for your other social sites, email etc and change them immediately. This might seem a little drastic but this information is on the web and you are at risk if you are sharing your passwords.
LinkedIn has now confirmed the leak:
Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,“ the company’s chief information security officer Cory Scott wrote in a blog post. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.
Keeping all of your passwords safe is a PITA but it doesn’t need to be. You can use the same password or a variation of it as long as you also use a method of 2 form factor authentication. 2 form authentication should always be
- Something you know – Your password
- Something you have – This can be a password coupled with biometrics (fingerprint scanner etc.) or a 3rd party authenticator.
The Google authenticator is free and I use it for everything. Just don’t forget your phone if you need to access your accounts. I have done that and it’s caused me problems in the past.
Stay safe folks and get to changing those passwords!