LinkedIn mass hack reveals ... yup, you're all still crap at passwords Analysis of passwords from the LinkedIn leak has revealed, should there be any doubt, that users remain terrible at choosing secure login credentials. Last week a black hat hacker using the nickname Peace was revealed as attempting to sell 117 million LinkedIn users' emails and passwords on the dark web. "Peace" wants 5 BTC …
And move to what ? I have never had a facebook or twitter account but I do use linkedin. Though all of my info is "public" on linkedIn(just career stuff) so there is really nothing to compromise data wise(I believe linkedin had me reset my pw back with the original breach(?)).
I don't use linkedin for MUCH(though I am a premium subscriber), it has gotten me tons of career leads over the years(none of which I need right now), and really if just one of those pans out again in the future(little reason to think it wouldn't) it would of paid for itself right then.
In general I'm not a social person so being able to stay "connected" to the people in my career is handy.
I was thinking more along the lines of it shouldn't take much work to block such simple passwords from being used in the first place. I don't advocate requiring really strong passwords for something like linkedin, but people shouldn't be using 1234567 etc (unless I suppose it is a throwaway account or something). Maybe linkedin has already implemented this since this data is pretty old already.
Back to the time where your contacts were people in your phone list that you actually called every now and then to prove that you cared that much.
I would love that to be true, but there are people I know who just don't seem to use the phone anymore, it's all messenger type apps, there are also people I know abroad and phone calls are not cheap, or have pain in the bum time differences.
" there are also people I know abroad and phone calls are not cheap "
Part of my contact includes free calls from my house phone to a land line in pretty much every country on the planet (except those usually deemed unfavourable to the world). Dunno how they account for that. I guess they make their money in that sending a single SMS from my mobile to a mobile in another country costs the same as calling them for a minute. I think the pricing is intended to confuse everybody to make operator comparisons meaningless.
Can't answer this question, since I am as social-network-shy as any bearded hermit in a cave in a mountain. But from the three you've mentioned LinkedIn is the most obnoxious: Facebook only bugs me about "people that I know" when I log on it, in a small notification icon so discrete I don't even remember how it looks.
LinkedIn, on the other hand, send several e-mails, each week, to more than one account, about "Roger Neverheardabouthim wants to add you to his network".
Sometimes I am tempted to play "six degrees of LinkedIn", and see if I can figure out how am I related to that twerp. A neighbor of the wife of a former student? Someone who is tempting to brag about having more contacts than the other idiots on his PR company? An Amway representative? Unfortunately I'd have to log in to discover, so I just delete the e-mails.
There is a lot of linkedin spam/scams - I get the odd email (but interestingly NOT to my linkedin e-mail address) asking me to connect to someone - the strange thing is the email only offers one button "confirm you know this person" - there's no option to click on "never heard of the little sod", so only option is to delete email and ignore, until another arrives next week telling me I haven't responded yet. Who designed this shit?
A few years back I had quite a bit of spam from LinkedIn. Given the mail did come from them, I contacted them to ask if they could stop sending this junk.
I was told I'd need to create a profile to manage my mailing preferences.
So I decided the easier way is to create a filter. Anything from LinkedIn gets automatically binned.
LinkedIn, on the other hand, send several e-mails, each week, to more than one account, about "Roger Neverheardabouthim wants to add you to his network".
The thing that earned LinkedIn a permanent spot in my spamassassin.cf was emails wanting to add mips@gentoo.org to peoples' networks.
mips@gentoo.org is just an alias for those of us who maintain Gentoo Linux on MIPS processors (SGI, Cobalt, Lemote). mozilla@gentoo.org copped a few too, and years ago, I was on both aliases.
When you consider those sorts of capers, it is clear LinkedIn don't give a damn about peoples' abuse of their network and that the "links" developed there are pretty much worthless from an employment point of view.
Want a job in IT? Start doing some meaningful work in the open-source world. Your name will then start to appear in search engines and your work will clearly stand on its own to any employer worth working for.
"I have never had a facebook or twitter account but I do use linkedin. "
I use LinkedIn but most of the time I feel more like it's using me. During a contract phase I accepted links from some agents. Big mistake. These agents get a job spec in that says "java" in it and spam everyone who comes up in a search result. Multiply that by every agent who has the spec and its a lot of spam. It's become a cattle market and people on the system have become the cattle to be monetized for the benefit of people like agents.
I've disconnected from the lot of them. If they want to talk with me they can spend one of their precious InMails. Chances are I'll ignore that too but at least it shows some kind of deliberate attempt to interact rather than spamming dozens of people at once.
How many of 117 million accounts are genuine or serious accounts?
I mean, a lot of people just knock up an account on sites to get access to view something they can't without an account. Then there are developers and testers who create many random test accounts to test an app using their API and such, and most likely use 123456 as a password.
A lot of people also probably just sign up out of interest, put in no details and never really use it. Half my address book comes up showing people with LinkedIn accounts but half of those have empty profiles and are unused.
I wouldn't be surprised if accounts created by recruiters and businesses that basically aren't personal accounts, also have weak passwords.
> How many of 117 million accounts are genuine or serious accounts?
I don't think that should be an either-or question, e.g. mine is genuine but I wouldn't call it 'serious' because I barely touch it. On the other hand it's several years overdue for a revenge attack on everyone for all those 'blahblah added yoghurt knitting as a new skill' and 'blahblah moved desks again' updates that it keeps forgetting I repeatedly tried opting out of.
I will pick the least interesting job and add as many excruciatingly irrelevant yet update-worthy details as I can think of.
"I mean, a lot of people just knock up an account on sites to get access to view something they can't without an account."
I must have done that at least a dozen times on LinkedIn over the years. I have no idea what names or passwords I used because I never have any intention of ever accessing those accounts ever again. The question is, does LinkedIn or similar sites ever do housecleaning? Or are they, like man "social networking" users all doing the same thing and using numbers of "friends" for bragging rights?
Anyone who creates a social media account then either never uses it or doesn't even log in for more than 3 months really ought to marked dormant then deleted after 6 months. (The account, not the user!)
A better approach would be to publish "active" accounts only in user base statistics (those accessed in the last three months for example). People paying for linkedin accounts should get a pass. They deserve to use their accounts as much or as little as they like.
On the other hand, the duff and dead free accounts should not be counted as active, for truth in advertising, if nothing else. Web hit counters that should report unique or new visits only face a similar dilemma when they don't discard crawlers and other bots from their stats.
Anyway this latest news may cause a few of those 117 (164 or 167) million pwned LI users to visit their accounts again to change their passwords. I certainly did and I am a Premium user.
For more fun and games check Troy Hunter's https://www.troyhunt.com/ to see where your email has shown up in data-breach land. Quite eye-opening, some decent blogs as well.
They might do some housecleaning. I occasionally browse through the "people you may know" list. At least two of the accounts I used to see on the list were deceased. I haven't seen them on the list in the last couple of months, so they may have had their accounts deactivated. One of the contacts was pretty high profile (retired Congressman) so he'd be a candidate for manually dealing with the account (or, more likely, having a staffer remove/lock/etc. the account). The other person was much more low profile.
There's also the argument that as LinkedIn is such a steaming pile of tosh, many people (myself included) use crap (weak) disposable passwords.
There's absolutely nothing of value in my LinkedIn account - just lots of people trying to connect with me so that they can try to sell me stuff, and the credentials I used are so weak that I wouldn't dare use them anywhere else.
I really don't want someone to get access to my bank account, or my email account, or root access to my servers, so I use secure passwords for them.
But LinkedIn, or for that matter some random forum such as this one, what's the worst that can happen if someone logs in as me?
The main risk if someone steals my login details from the likes of LinkedIn (or indeed this forum, which doesn't even use a HTTPS connection...) is if I use the same email and password combo for either this site and others, or for my email account, in which case they can get access to all the "forgotten password" emails and the like.
But if I don't, then what's the problem?
I have a better lock on the front door of my house than I do on my garden shed, for much the same reason. Get into the shed and at most you can steal some plant pots, potting compost, barbecue charcoal and a bit of garden furniture maybe.
"But LinkedIn, or for that matter some random forum such as this one, what's the worst that can happen if someone logs in as me?"
In the case of LinkedIn they could get in touch with your contacts and tell them they're a c**k, that you shagged their mum, that you worked somewhere disreputable, that sort of thing. That's what I'd do anyway.
But the problem is, what if you ALSO accidentally dropped a bit of a bill or something else that can identify you more completely. Then that shoddy shed lock just became an inroad to social engineering or even identity theft. That's why ANY site with a bad password can be risky. ANY information they can glean from it can be used to reconstruct your identity, at least to the point they can employ social engineering to get more information and then eventually they have enough to compromise or steal your identity.
"ANY information they can glean from it can be used to reconstruct your identity, at least to the point they can employ social engineering to get more information and then eventually they have enough to compromise or steal your identity."
They *could*. But *would* they?
Your common-or-garden cybercriminal, much like your common-or-garden house burglar, will go for the easiest targets. They're after quick money not some convoluted identity theft.
In practice, my LinkedIn password is better than "password" or "12345678", but not as good as 12 truly random characters or whatever. Which is fine, as long as there are lots of people who have passwords worse than mine; just as my house isn't likely to get burgled as long as I have pretty good locks on the doors, and the guy down the street has crap ones.
"Your common-or-garden cybercriminal, much like your common-or-garden house burglar, will go for the easiest targets. They're after quick money not some convoluted identity theft."
But you could always have motivated enemies out to target you specifically or one who just feels like putting forth extra effort, like you say, so as to steal an identity and milk it for all its worth (one big haul versus many little ones) much like sociopathic stalkers who groom their victims over time.
I was informed by haveibeenpwnd? This morning. the email address was one that has been defunct (I still have the domain, though) since late 2008. I 'killed' my Linkedin account when they, by default, started allowing the profiles to be indexed by google without an opt in for this.
So the account was three years defunct by the time the data was leaked.This is also looking like one of the biggest datadumps of users to date.
I am not arsed about my old LI account. But it hits home that if, say, Amazon ever had a rogue employee, or were hacked, (though I imagine Jeff has some seriously dodgy internal police force that use 'justifiable' force), then I would be worried. I realised, recently, that my amazon account, with all the purchases visible since 2000, and a lot of addresses I have used over that time, has more info about me than probably any other online resource. Including gov sites. (Exception of GCHQ probably - Hi guys).
Been signed up with them for a few years now, and this is the first alert they have had to send me ...
You're one of 164,611,595 people pwned in the LinkedIn data breach
Like others here, my LinkedIn password is probably the lowest level, since it's not really used much. Still I note (with interest) that it was last changed in 2014 (Lastpass notes such things.
Oh, and a big-up for Lastpass here. I just tried their "autochange password" function (on LinkedIn) and it worked a charm. So weighing cloudy encrypted vault against top-notch per-site password protection, I'll risk Lastpass anyday.
Passwords are a broken way to enforce security. How much more proof do we need that significant numbers of people find passwords a bother and always will?
When are we going to start building a replacement for this broken idiom which humans have no problems with?
"In years to come, the proof that passwords are a good way to enforce security will be that some bloke pointed out how shit they were and didn't provide an alternative."
What if someone produced a true reductio ad absurdum that showed that anything other than passwords is provably worse than passwords, which we know to be unacceptable because people can have bad memories. Then I have to wonder where we go from there...
"Passwords are not a good way to enforce security. Like democracy, they are the least bad way we have now."
Only thing is, we're realizing all these "least bad" solutions are not acceptable. So we need an alternative that is better than the least bad solution out there, and we need it soon before the whole house of cards collapses in on itself.
Sort-of-related story: a colleague used to play a version of Lotto/Powerball with the numbers 1-2-3-4-5-10. His theory was that if ever 1-2-3-4-5-6 was drawn, lots of clueless yokels would have to share the prize, but with 1-2-3-4-5-10 the top prize would be all his.
Changing my password to 1-2-3-4-5-10 in 9, 8, 7, 6...
He's right.
Loads of people have 1-2-3-4-5-6, it's just as likely to come up as any other combination but as he said if it does come up it'll be shared between thousands.
If he wants to keep it all for himself he should pick a range of number above 31. Many people use dates of birth for picking numbers and you cut them out the share above that. And you're just as likely to win. Which is not very these days.
Hoping to ask some people who know more about security than me some advice! I have been guilty in the past of sharing passwords between sites and think it is time to tighten things up. I was thinking of doing the following and wondered if this sounds sensible?
1. Get an account for something like KeePass or 1Password Manager
2. Create a strong, unique password for this service that isn't used anywhere else.
3. Create random, strong passwords unique to each other account using something like https://www.random.org/passwords/
4. Store those in my password manager
I guess my only real concern is how secure is 1 + 2?
These password managers tend to be able to create the passwords for you as well
However, what they won't do is automatically change your password. On of the features of the LinkedIn breech is the information LinkedIn disclosed about how infrequently people actually changed their passwords; many not having been changed since the 2012 breech; basically people don't (change their passwords) unless they forget it or are forced to (as LinkedIn has done this time round).
I suggest that the use of password managers doesn't change this behaviour and may in fact encourage people to not periodically change passwords, since they no longer have to remember them and hence are even less likely to suffer from a memory lapse.
WHY do people need to change their passwords periodically if people follow the best practice of using a different password for each and every site? If the password's been breached, it won't work anywhere else, and odds are the password gets breached before ANYONE knows about it, making the while "change the password" exercise moot as odds are the criminal will change the password THEMSELVES once they have it--to block backhacking.
IOW, with password managers and different passwords for every site, it's either too early to worry about or too late to do anything to fix it, with no middle ground.
Keepass can run as an independent application and all it needs is to access your Keepass data file.
Keepass comes with a Portable version (no installer required), download from the keepass website itself: http://keepass.info/download.html.
The next step is that you need to keep the Keepass data file available to you. There are many ways of doing this, the issue is likely to not have a single (losable) copy on something like a memory stick and to instead use a web storage service of some form. Pretty much any of them would do as long as you trust the encryption of the Keepass application the strength of your password to it.
...or somebody guesses the master password, or watches you type it in, or the keepass encryption algorithm has flaws, or the application itself...
While services such as keepass are very useful they do shift the focus onto a single password with which an attacker will get access to a lot of services.
FFS. What really p155es me off at the moment, is websites trying to increase the complexity of passwords that I use.
But it's for websites where I don't store personal information, or where I don't care if I'm "hacked".
LinkedIn - password "1234" is more than ample. Someone hacks it, deletes the profile? I'll re-enter it.
Facebook - hmm... there's some nice history/photos I'd like to keep, perhaps a more complex password.
Banking/shopping website - OK, full-on password here.
By forcing more complex passwords, it makes us re-use the passwords we use for banking.
Or dream up another one, which we're likely to forget.
Re: LinkedIn - password "1234" is more than ample.
Whilst I understand your point, I suggest it depends upon both the characteristic's of a particular website and your password reuse policy.
Looking at the KoreLogic analysis, what is interesting is that the only 1.14M users out of 117M accounts, ie. approximately 1%, use the most common password, for LinkedIn, of "123456". So whilst in theory a hacker might get lucky every 100 accounts they try to gain access to, these odd's will be lengthened by other security measures such as timeouts after some many failed attempts from the same session and account locking after so many failed attempts from any session. The question really is what additional security measures have LinkedIn instigated to identify improper access attempts.
Those counter-measures, though, could probably be defeated by a botnet. Each bot only tries one account once, maybe twice, so there's no real way for an IDS to figure the scheme out since they use different IPs, only use 1 account per IP to defeat IP tracking (since now you can't tell whether it was an attempt or an honest mistake), and only go a couple times to avoid timeouts. And this is a world where the criminals only need to be lucky ONCE, so like spammers they're willing to cast a wide net.
I was in the process of saying exactly the same thing.
If you (i) don't consider it much of a loss if somebody else accesses your LinkedIn account; and (ii) don't want to share your LinkedIn password with any other site because LinkedIn passwords might leak; then something both unique to the site and easy to remember is ideal.
Mine are usually slightly better than that but I am definitely guilty of having very little regard for the quality of passwords that I use for sites which have no privileged information about me whatsoever. What's the worst that can happen here? Somebody might delete or graffiti my online CV? Not only do I have it in various other forms but I'm pretty sure I could reconstitute it from nothing with fairly limited effort. It's not particularly difficult to remember which university I went to and the list of my employers since then.
EDIT: hasty update on this, per the haveibeenpwned.com suggestion above, my LinkedIn password has leaked. So I guess I'll change it. But it's hard to feel a sense of urgency.
People complain about Twitter being full of insane hateful trolls ( it is ) and Facebook being full of awful passive-aggressive dolts posting endless tiresome minion memes ( it is ) but the true dregs of humanity are to be found on Linked In.
I don't even like to use the term in polite company, but Linked In is jammed full of recruitment agents.
Awful. The worst.
No one wants to "hack" your linked in profile. So you use the same password you use for all the sites you don't care about. A hacker who gets my linkedin password can visit my profile on a few online forums, shopping sites where you need a password to view order status, and the like. I'm not changing it, because I don't care if they get into those sites because they can't hurt me in any way.
I use different & better passwords on sites that matter, so that if one is compromised it is just that one. But I can't be bothered to use a different strong password on every site. And yeah, I know about password managers, but I can't be bothered with that for sites I don't care about.
That link suggests that all the attackers needed to do to find the most common passwords was count duplicates. So 7c4a8d09ca3762af61e59520943dc26494f8941b was 123456 and they could count them up and crack them.
LinkedIn, a site which should know better didn't even bother to salt its passwords. Not acceptable, not even in 2012.
Better to deploy 2FA and other techniques. These will at least keep you a few steps ahead of the script kiddies and other miscreants that seem to walk through so many mainstream site's security with such astonishing ease. But it does become a pain when you can't find the "something you have".
On the one hand - a fair point.
On the *other* hand, LinkedIn - like great many sites with the ability to post text on - is a vector for potential libel suits or worse, depending on your jurisdiction.
If your LinkedIn account were to be compromised - without your knowledge - then you might be onm shaky grounds with a defence.
Probably better to be as cautious as possible with *all* passwords.
Hence another vote for a complex-password-generating password manager .....
Yeah, so people use crap passwords. So what? My password for linkedin was a variant of what I use for many sites: a random letter combination I use for almost all passwords (no financial websites) and the phrase linkedin. Why? I manage my own passwords and just want them to be non-unique. If someone were to get my password for something and start to manually try other random websites, they might hit another one. So what: they can now post pictures on my facebook account as well. Whatever.
All this sort of misses the larger point: if large businesses whose business model is the storage and manipulation of data have such crap security that 164 million logins and passwords can be swiped, what does it matter if my password is emmmcatbttihhmhp$50edmtmtptboayani (Eenie meenie miney mo catch a tiger by the toe if he hollers make him pay fifty dollars every day my mother told me to pick the best one and you are not it) or LinkedIn ??? It's still now out there and available for sale by some dimwit to some darkwit. Using "password" as your password for everything online? Sure, stupid. But hardly the larger problem.
Err.... but LinkedIn is just (effectively) a chat site, and a very low-traffic site at that. As long as I don't use my trading account password or my banking account password, what's the harm? For throw-away thing like FarceBeuk and LinkedIn I *do* use such crappy easy-to-remember throw-away passwords, whereas my financial accounts have regularly-changed horse battery staples. The thing that really annoys me is sites such as job vacancies sites that insist you use a bank-account-strength password just to frikking read the frikking job adverts.
FWIW: I just got this:
Subject: Important information about your LinkedIn account
Notice of Data Breach
You may have heard reports recently about a security issue involving LinkedIn. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you.
What Happened?
On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed
might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach.
What Information Was Involved?
Member email addresses, hashed passwords, and LinkedIn member IDs (an internal identifier LinkedIn assigns to each member profile) from 2012.
What We Are Doing
We invalidated passwords of all LinkedIn accounts created prior to the 2012 breach that had not reset their passwords since that breach. In addition, we are using automated tools to attempt to identify and block any suspicious activity that might
occur on LinkedIn accounts. We are also actively engaging with law enforcement authorities.
LinkedIn has taken significant steps to strengthen account security since 2012. For example, we now use salted hashes to store passwords and enable additional account security by offering our members the option to use two-step verification.
What You Can Do
We have several dedicated teams working diligently to ensure that the information members entrust to LinkedIn remains secure. While we do all we can, we always suggest that our members visit our Safety Center to learn about enabling two-step
verification, and implementing strong passwords in order to keep their accounts as safe as possible. We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend
you set new passwords on those accounts as well.
For More Information
If you have any questions, please feel free to contact our Trust & Safety team at tns-help@linkedin.com. To learn more visit our official blog.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
