Earlier this week, it was reported that the 2012 breach of LinkedIn was far worse than originally thought: instead of the 6.5 million stolen records that were reported at the time, it turned out that 167 million users were affected. 117 million of these records contained the user’s email address and password.
It wasn’t until this bigger breach was sold in dark web communities that everyone became aware of this bigger problem. LinkedIn issued a blog post that confirmed the leaked data was authentic and asked affected users to reset their passwords.
I’m one of those affected, so I played around a bit. If I would have chosen Raimund_Genes as my password, it would have been marked as green, a Fair Password. When I tried Linkedin_Raimund, it’s also marked as a Strong Password. These are not what I would call strong passwords. You had a breach and it’s getting some attention: use this opportunity to re-educate users on strong password usage.
Displaying or grabbing my browser, operating system, and location information may not be the best idea, either:
Besides the “funny” password rating, there are several things that are concerning about this whole incident. It’s not clear how a breach of this scale was missed–what led everyone to think that the 2012 incident was much smaller than it turned out to be. LinkedIn’s users deserve an explanation of what happened here–what did LinkedIn know, and when did they know it? How many users were really affected, and what data was put at risk?
While breach notification has always been a tricky subject, cursory reassurances aren’t enough, not when companies hold so much valuable data. The trust of users is essential to any business.
As for the breach itself, there are questions around that too. While it’s been confirmed to be authentic, how exactly did a breach of this scale remain hidden? Does this tell us who was responsible for the breach in the first place, and how the information was used?
This isn’t to say that LinkedIn hasn’t worked to improve their security. LinkedIn started using salted hashes to store password after the 2012 breach. They also introduced two-step verification for log-ins from new devices in 2015. These are welcome incremental steps, although they can always be improved.
For example, a proper multi-factor authentication system based on RFC 6238 has been implemented by many high-profile sites, most famously Google. This would be an improvement over the current system where only log-ins on new devices are protected.
Users concerned about the security of their LinkedIn accounts should use the tools that are available to them. Strong passwords (randomly generated and saved with a password manager) and the use of the existing two-step verification are the order of the day.
The revelation of this breach brings more questions than answers to the table. Hopefully in the upcoming days, the parties involved will be more forthcoming so that users can take the necessary steps to protect themselves.