Last week on the official LinkedIn blog, the company’s chief information security officer, Cory Scott, reported the company had become aware of an additional set of data that has just been released consisting of e-mail and hashed password combinations of more than 100 million LinkedIn members. This recent release is related to a 2012 unauthorized access and disclosure of LinkedIn members’ passwords:
Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach. –Linkedin Official Blog, May 18, 2016
In response to the breach, LinkedIn invalidated passwords for accounts created prior to the 2012 breach whose owners had not updated their passwords since the 2012 breach, and they also began letting individual members know if they needed to reset their passwords. The notices included the following instructions (received on May 19):
Originally, LinkedIn suspected that 6.5 million encrypted passwords were stolen, but it now seems that number may have been as high as 160 million e-mail and password combinations.
In his blog post, Cory Scott noted that LinkedIn has been “salting” or appending random data to passwords before they are encrypted to make them less decryptable/breakable for several years (probably since the 2012 theft). Specifically, salting is primarily used to defend against dictionary attacks, in which a cybercriminal tries to determine a decryption key by trying multiple passwords that are more likely to succeed (e.g., list of words from a dictionary).
After the 2012 attack, LinkedIn worked with the FBI to investigate the password theft. In thinking about theft-of-password situations, it is important to remember that they are theft, and that law enforcement agencies like the FBI can be brought in to assist in investigating theft of electronic assets, which includes users’ passwords.
This latest resurfacing of an older breach should serve both as reminder and example. It’s a reminder that the size of a data breach is seldom known immediately, and that the ramifications for a company—just in terms of account security—can linger for years. It is also an example of the importance of continual evaluation and action by any company whose passwords have been compromised. Even after new security measures are in place, there may still be a need to address issues created from a breach years earlier.