Once upon a time, back in the year 2012, a social network was hacked. After the hack everything went back to normal and everyone lived happily ever after never having to worry about any security concerns.
Nice story, right? Yeah, it’s fiction.
Unfortunately, the real story goes something a little more like this. LinkedIn hacked by cybercriminal in 2012 with information to (an assumed) 6.5 million accounts. Cybercriminals and the social network do not disclose the severity of the breach to the public. Four years later a cyber criminal, who goes by ‘Peace,’ is selling 167 million LinkedIn accounts on the dark web. His asking price, 5 bitcoins, or around $2,200.
So how do we know that it’s a legitimate data dump? Troy Hunt, the developer behind have I been pwned?, a website that lets the public check if they were affected by popular known data breaches, thinks that the data set of LinkedIn hacked accounts is real. Hunt said,”I’ve seen a subset of the data and verified that it’s legit.”
“Passwords were stored in SHA1 with no salting,” said an administrator from LeakedSource, a data leak indexing website. “This is not what internet standards propose. Only 117m accounts have passwords and we suspect the remaining users registered using FaceBook or some similarity.”
Typical best security practices are for passwords to be stored in hashed form inside databases. Hashing is a one-way method of creating unique cryptographic representations of strings called hashes to help keep its user’s password as safe as possible. Converting a hack back into the original password should not be possible, which is why it’s safer to store hashes opposed to plain text passwords. But, there are old hashing functions, like SHA1 and MD5, that are able not fully protected from advanced cracking techniques.
The moral of this story, change your passwords, especially after a breach occurs on a site that you are affiliated with (i.e. LinkedIn hacked, Adobe hacked, etc). Many users have not changed their passwords so we highly recommend that you immediately go and change your password now! LinkedIn has enabled a two-factor-authentication process to try and help combat cybercriminal activities – so be sure to use it!