The LinkedIn Hack – what you need to know.

Last week there was no escaping news of the latest data breach. The LinkedIn hack of 2012 which we thought had “only” exposed 6.5M password hashes (not even the associated email addresses so in practice, useless data), was now being sold on the dark web.

It was allegedly 167 million accounts and for a mere 5 bitcoins (about NZ$3.3k) you could jump over to the Tor-based trading site, pay your Bitcoins and retrieve what is one of the largest data breaches ever to hit the airwaves.

From LinkedIn officially:

You may have heard reports recently about a security issue involving LinkedIn. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you.
What Happened?
On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach.
What Information Was Involved?
Member email addresses, hashed passwords, and LinkedIn member IDs (an internal identifier LinkedIn assigns to each member profile) from 2012.
What We Are Doing
We invalidated passwords of all LinkedIn accounts created prior to the 2012 breach that had not reset their passwords since that breach. In addition, we are using automated tools to attempt to identify and block any suspicious activity that might occur on LinkedIn accounts. We are also actively engaging with law enforcement authorities.
LinkedIn has taken significant steps to strengthen account security since 2012. For example, we now use salted hashes to store passwords and enable additional account security by offering our members the option to use two-step verification.
What You Can Do
We have several dedicated teams working diligently to ensure that the information members entrust to LinkedIn remains secure. While we do all we can, we always suggest that our members visit our Safety Center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible. We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend you set new passwords on those accounts as well.
For More Information
If you have any questions, please feel free to contact our Trust & Safety team at tns-help@linkedin.com. To learn more visit our official blog.

A list of the worst passwords in the LinkedIn hack is remarkably familiar, but unremarkably depressing.

A list of the most popular passwords used by LinkedIn in 2012, at the time of the hack that recently came to light (again), was published by LeakedSource. The cache of 117 million accounts were hashed with the SHA-1 algorithm, a once-strong hashing system that was recently pushed into deprecation as it could be cracked.

But because the passwords weren’t salted — a process that makes it harder to decrypt.

It’s estimated that about 90 percent of the passwords were decrypted — a figure that will likely grow over time.

Last year — which would’ve been two years after the LinkedIn breach — the most popular password was, unsurprisingly, at the top of this list.

Rank Password Frequency
1 123456 753,305
2 linkedin 172,523
3 password 144,458
4 123456789 94,314
5 12345678 63,769
6 111111 57,210
7 1234567 49,652
8 sunshine 39,118
9 qwerty 37,538
10 654321 33,854
11 000000 32,490
12 password1 30,981
13 abc123 30,398
14 charlie 28,049
15 linked 25,334
16 maggie 23,892
17 michael 23,075
18 666666 22,888
19 princess 22,122
20 123123 21,826
21 iloveyou 20,251
22 1234567890 19,575
23 Linkedin1 19,441
24 daniel 19,184
25 bailey 18,805
26 welcome 18,504
27 buster 18,395
28 Passw0rd 18,208
29 baseball 17,858
30 shadow 17,781
31 121212 17,134
32 hannah 17,040
33 monkey 16,958
34 thomas 16,789
35 summer 16,652
36 george 16,620
37 harley 16,275
38 222222 16,165
39 jessica 16,088
40 ginger 16,040
41 michelle 16,024
42 abcdef 15,938
43 sophie 15,884
44 jordan 15,839
45 freedom 15,793
46 555555 15,664
47 tigger 15,658
48 joshua 15,628
49 pepper 15,610

Anyone with 123456 as their password deserves to have their account hacked in my opinion.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s