26 May 2016

Millions of Hacked LinkedIn Credentials Advertised For Sale on the Deep Web

As a reported by the Motherboard , Over a hundred million LinkedIn customers have received their information marketed over the Darknet

An online hacker that goes by the alias of Peace, informed Motherboard that they had hacked the corporate social website LinkedIn in 2012, stealing and posting data of 117 million users – a number far worse than what LinkedIn at the time, revealed.

However, currently the hacker is offering the information on Darknet prohibited websites for 5 bitcoin that converts into $2,200.
LeakedSource, a search engine for the hacked world, stated that there are more than 150 million accounts in the hacked database, and more than a hundred million of those accounts have active emails and passwords.
Back in 2012, a $5 million court action was submitted against the LinkedIn social media giant in the aftermath of the 2012 compromise, accusing the organization of their obsolete safety measures; such as neglecting to ‘salt’ security passwords – a safety standard that ‘hashes’ more typical passwords, making them more challenging to compromise.

Credit : motherboard.vice.com
Leaked Source provided Motherboard with a sample of almost one million credentials, which included email addresses, hashed passwords, and the corresponding hacked passwords. The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked.

One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours.”

Troy Hunt, a security researcher who maintains the breach notification site “Have I Been Pwned?,” reached out to some of the victims of the data breach. Two of them confirmed to Hunt that they indeed were users of LinkedIn and that the password he shared with them was the one they were using at the time of the breach. Motherboard was able to confirm a third victim.

One of the victims told Motherboard that the password in the sample was their current one, though he changed it as soon as Hunt reached out no notify him of the breach.

“Having a password out there feels like someone being able to let themselves in to your private space whenever they like, without you knowing,” the victim, who asked to remain anonymous, said in an email.

When reached for comment on Tuesday, LinkedIn spokesperson Hani Durzy told Motherboard that the company’s security team was looking into the incident, but that at the time they couldn’t confirm whether the data was legitimate. Durzy, however, also admitted that the 6.5 million hashes that were posted online in 2012 were not necessarily all of the passwords stolen.

“We don’t know how much was taken,” Durzy told me in a phone call.

The lesson: For LinkedIn, the lesson is the same as four years ago: don’t store passwords in an insecure way. As for LinkedIn users, if you didn’t already change your password four years ago, change it again, especially if you use it on other services (and please stop reusing passwords).

“The prevalence of password reuse means we’ll see that unlock other accounts too,” Hunt told me.

Another lesson is that even old hacked data can sometimes be valuable, given that some of these passwords might still be valid.

UPDATE, May 18, 12:32 p.m. ET: LinkedIn confirmed on Wednesday that the new data is legitimate.

“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,“ the company's chief information security officer Cory Scott wrote in a blog post. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.“

Scott also encouraged users to use two-factor authentication and use strong passwords.

Source: MotherboardBBC