back to article LinkedIn plays down '117 million users' breach data sale

LinkedIn has responded to the recent sale of users’ data - apparently the fruits of a 2012 breach - on the dark web. As previously reported, a black hat hacker using the nickname Peace is attempting to sell 117 million LinkedIn users' emails and passwords on the dark web. "Peace" wants 5 BTC for the trove of private info which …

  1. Filippo Silver badge
    Facepalm

    "For several years, we have hashed and salted every password in our database"

    Wait, does that mean that there has been some point at which they *didn't*? More specifically, does that mean that they had a database of 117 million plaintext passwords in 2012?

    If so, there's not enough facepalm in the world for that.

    1. VinceH

      If memory serves from what I've read elsewhere on this, the bit that has changed is "and salted" - i.e. prior to the breach, passwords were hashed but not salted.

      1. bombastic bob Silver badge
        Joke

        I always want salt on my hash

        "prior to the breach, passwords were hashed but not salted."

        sprinkling some salt on my hash now.

        I normally dislike social media, but admit to having a linkedin profile. got the warnings from linkedin, the first one being an e-mail from 2AM, and the 2nd when I attempted to log in [I logged in specifically to reset my password, convenient].

        So yeah, they wanted me to reset my password, and so did I.

        Funny, when I logged in yesterday, I couldn't find the "change password" command and got caught up in updating my profile (and forgot to do it). This morning I remember "I didn't change the password". Well, they 'helped' and made it easy. Looks like 'I forgot my password' is the fastest way to get there.

        Maybe THAT is the problem - make it easier to ACTUALLY! CHANGE! THE! PASSWORD!!!

        1. ZenCoder

          Re: I always want salt on my hash

          I agree ... they make it too hard to change your password ... easier just to Google it and find the page that way.

          Also I should be informed of any data breach the first time I log in after one happens, with a link to change my password and another giving a open and honest account of what they know happened. That give me the impression that they treat their users with respect and take their security seriously.

          When I find out 4 years latter by reading a news article ... that sends an entirely different message.

          1. Law

            Re: I always want salt on my hash

            It would help if they didn't redirect you to the play store app when tapping on email links from their notifications.

            I absolutely hate the assumption you'd rather install an app that's going to scrape your contacts and phone number than just loading the damn page. Arses!

            1. Anonymous Coward
              Anonymous Coward

              Re: I always want salt on my hash

              I absolutely hate the assumption you'd rather install an app that's going to scrape your contacts and phone number than just loading the damn page. Arses!

              I rather love their presumption a while back that you're just going to allow LinkedIn to mine your email for contacts by given them your access details. Honestly, just how naïve do people get?

              LinkedIn is a very dangerous company if you work with confidential information because it allows someone else (and LinkedIn) to work out who you are connected to, and so plan a line of attack. In my opinion there is practically no better help to plan a focused business phishing attack.

              Yes, I have my name on it and some contacts, but that's mainly to point possible creative spirits in the wrong direction. I also amused myself with setting up some totally false profiles, and I've already caught some people attempting to befriend me as an apparent contact.

              It's IMHO dodgy as hell (also because it retains information you wipe - I still see recommendations come up based on some test entries).

        2. Sgt_Oddball
          Alert

          Re: I always want salt on my hash

          I'm also partial to throwing pepper in there too. Makes it even more of pain in the arse for them to rainbow table it.

          Paranoid? Moi?

        3. ideapete
          Pint

          Re: I always want salt on my hash

          Chippies do IT better

    2. asdf

      Lol didn't Ashley Madison at least do that? Funny how short shrift security for you is when you are the product and not the customer (in Linked in case anyway). Still as far as I know the biggest username (email) and pasword leak of all time (170 something million) was by Adobe back quite some time ago and I think they leaked clear text password too.

      1. Anonymous Coward
        Facepalm

        Adobe Leak...

        If playing the Adobe password leak crossword game is anything to go by, the leak did little harm as 99% of the passwords was "dog".

        For the game, see below:

        http://zed0.co.uk/crossword/

    3. BillG

      "For several years, we have hashed and salted every password in our database" Wait, does that mean that there has been some point at which they *didn't*?

      Yes, LinkedIn admitted that during the original breach in 2012, passwords were definitely NOT salted.

      So in this case, "several" = 4.

      You need a marketing-speak decoder ring when reading LI press statements. For example, when LI announced:

      In 2012, LinkedIn was the victim of an unauthorised access and disclosure of some members' passwords.

      In the above statement, to LI, "some" = 117 Million.

    4. piyushjain

      right ..

    5. Uncle Siggy

      password breaches

      Windows applications in the field on less modern server versions and applications still in service often pass credentials via clear text. Also, Windows cannot initiate a command line to send a file from point A to point B that is encrypted (the tunnel). They do have a shell mind you. Cygwin on such a server can do the job though. Also, virtual Linux/Unix hosts can, as well as OSX (Darwin fork - nevar forgat).

  2. Anonymous Coward
    Anonymous Coward

    plain text pw

    When I started my current role all co. websites stored plain text passwords.

    No one in the company even considered it to be a problem.

    I have since insisted all new sites salt & hash and implemented this myself.

    I have also begun the process of transitioning the existing sites but that is proving more complicated than expected and will take a bit of time.

    Most of the rest of the company still seem to think I'm an overcautious, paranoid, nerdy weirdo. (I concede to at least two of those but not for the reasons they think =))

    anon. for obvious reasons.

    1. Captain Scarlet Silver badge

      Re: plain text pw

      ... that's normally means whoever created said site has just offloaded it to yourself, they can now claim its been modified and don't know what you have done.

      I would be anon but I cba, I'm the one that whinges at you to destroy the user "admin".

  3. Anonymous Coward
    Anonymous Coward

    "Tis but a scratch!"

    The Black Knight was also deluded.

  4. Duffaboy

    Why worry

    The hackers have grabbed themselves a fist full of fake qualification claims and BS oh and the "Security Specialists" passwords

  5. Lt.Kije

    LinkedIn? It was a kinda nice idea, but was becoming another rat's nest of faux friends and dubious come-ons. Who needs it. I'll take care of my network myself, so Bye Bye Guys.

  6. This post has been deleted by its author

  7. Adam 52 Silver badge

    SSO

    Linkedin are an oauth identity provider, so potentially a lot more than a few social profiles are risk.

    1. WolfFan Silver badge

      Re: SSO

      Only if you used an email account with LinkedIn that you used elsewhere. I didn't. One of the nice things about using different throwaway email accounts when asked to 'register' or something like that is that it is very easy to see who is selling your info even when they swore they wouldn't, and where they're selling it to.

      1. Vic

        Re: SSO

        Only if you used an email account with LinkedIn that you used elsewhere

        LinkedIn seem to have done a load of email scraping somewhere.

        They sent me the email[1] telling me to reset my password - but they sent it to an address I've never given them. The address on my profile has not been notified...

        Vic.

        [1] I thought it was a phish at first - but it checked out.

        1. WolfFan Silver badge

          Re: SSO

          They still haven't sent me a damn thing. Apparently no-one wants my password, or at least so they'd have me believe.

          I've changed the password to something else as easy to guess. Their system didn't like it, said it was 'weak'. I agree. It is weak. I'm not wasting a good password on them. I forced the change, and now I have a different weak password at LinkedIn.

          Just to see what would happen I changed the password here at El Reg, too. That one was pretty weak, too. Still is, it's just a different weak password because I don't really care if anyone figures it out and can post as me.

  8. Unshakeable

    Whereas the recommendation to enable 2 factor ( or rather 2 step) authentication may prevent the malicious use of linked in, the 'value' of the haul ( be it 6.5 or 117 million ) would be those accounts where people use the same username (email) and password across multiple sites.

    Whilst working out how many people haven't changed username or password in the last 4 years, also try to work out how come LinkedIn is still running after all these years :D

  9. WolfFan Silver badge

    Not feeling the love

    I have a LinkedIn account. However, I have not received a notice that anyone was interested in my password. Sniff. Woe is me. No-body loves me.

    Of course, it could be that they just haven't got down to the 'W's yet, so I may yet get some attention.

  10. jms222

    It's not so much about whether salting and hashing takes place (and remember some authentication protocols require passwords to be stored plainly), it's about removing authentication and putting it in a box called an authentication server.

    The authentication server is quite separate from your web server and main databases and _only_ does some very defined things which obviously don't include outputting a password or enumerating accounts.

    But then you already knew this if that's your business. Or I hope so.

  11. Pascal Monett Silver badge
    Mushroom

    "We take the safety and security of our members' accounts seriously"

    Not seriously enough to know when you're breached before stumbling on a public sale, apparently.

    Tossers.

  12. tekHedd

    First I've heard of it...

    They never fail to send me invititations from other linkedin members through email. Wonder how that "we got hacked" email failed to get past my spam filters?

  13. Camilla Smythe

    Fair Doos Tho'

    I'm still trying to get my head around encryption, hashing and salting so it must be hard stuff and, presumably, they 'Take Security and Privacy Very Seriously.'

    So

    -!

    -!

    -!

    -!

    -!

    -!

    -!

    -!

    -!

    -!

    -!

    -!

    -!

    -!

    </rant> <- I'm not qualified to but please fill in if you are so inclined.

    That's OK Then.

    @ WolfFan

    I will be missing the love as well.

    Lost! access! to! my! Pseudo! Yahoo! e!-mail! address! used! to! sign! up! to! linked! in! years! ago! Presumably! before! 'They!' got! breached!

  14. JeffyPoooh
    Pint

    OMG! Somebody hacked my LinkedIn account !!

    It appears that a bunch of people that I barely know have vouched for my supposed skill sets, most being skills that I've never even witnessed others doing. Obviously my LinkedIn account has been hacked!!

    What's that you say? You mean this is NORMAL on LinkedIn? Seriously?

    1. Anonymous Coward
      Anonymous Coward

      Re: OMG! Somebody hacked my LinkedIn account !!

      I've endorsed you for Critical Thinking.

      1. smartypants

        Re: OMG! Somebody hacked my LinkedIn account !!

        The endorsements system is one of the funniest bits of linked in.

        They're utterly worthless. people get endorsements from people who don't really know what you do and are leaving the company imminently but give you an endorsement in the hope you'll repay the compliment. As I can't be bothered to 'curate' these idiotic endorsements, I now get lots of job adverts for ferret comber, lumberjack and plastic surgeon (non of which are my skills, and I have actually used a chainsaw once and consider myself "unskilled and quite dangerous" when near one.)

        1. werdsmith Silver badge

          Re: OMG! Somebody hacked my LinkedIn account !!

          I dabbled with linkedin a while ago, I think long enough ago to be affected by this breach.

          I found it to be as schmoozy as a golf club so quit pretty quick.

        2. Not That Andrew

          Re: OMG! Somebody hacked my LinkedIn account !!

          I must add ferret combing to my LinkdIn profile (if i can remember it).

  15. Darth.0

    Peace

    So, I like others here had a heck of a time finding the place to reset my password in LinkedIn. Fortunately, emailed Peace and he reset it for me.

    1. Anonymous Coward
      Anonymous Coward

      Re: Peace

      So, I like others here had a heck of a time finding the place to reset my password in LinkedIn.

      Weird, I didn't have that problem. Top right icon (either your profile pick, or anon like mine), choose "Privacy & Settings" and there is the selection for the password.

      While you're there, best check all the other settings as well, LinkedIn has a habit of adding permissions for things like its own Help Centre without asking.

  16. Duffaboy
    Trollface

    Potential Employers

    My Linkedin profile correctly claims that I was on the moon surface before Neil Armstrong. Honest

  17. Duffaboy
    Trollface

    117 Million !

    That's 117 Million Security specialists passwords stolen then.

  18. Anonymous Coward
    Anonymous Coward

    Whoa, a whole five BTC. LinkedIn better just buy it and reset the passwords.

  19. Ian Moyse
    Alert

    This isn't the 1st and won't be the last to happen. The sooner the better that we get a simpler and new ID method such as utilising a mobile phone biometric validating app to authenticate to sites, removing the clunky and old methods of username and password that we have lived with since the inception of computing. These methods are fundamentally flawed and combining it with the poor authentications of DOB, maiden name, etc still used, with data that can readily be harvested from social media and public sources the public are left wide open to attack.

  20. ideapete
    Pint

    Denial is not

    Thank U linked out , Denial is not a river in Egypt

  21. VinceLortho
    FAIL

    I was one of the 177 Million

    I don't use the password for anything else so the LinkedIn hack didn't affect me but I did get a couple of attempts to play me on a social hack. The method was so pathetic (a couple of emails from a Chad Wentworth and a certain Jonathon Granger or some other obvious BS names) complimenting me on my great web site (which I do not have - great or otherwise) and would I do some work for them. Lucky for us it would seem that those smart enough to use the dark web to buy stolen user lists to run scams are too stupid to rig a good one. If they were they could make better money in a straight gig.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like