A HACK on business people meeting business people site LinkedIn in 2012 is still causing ripples after a hacker found an extra 167 million user account details and started flogging them online.
It is no secret that LinkedIn was hacked. The firm admitted to the incident in 2012 when 6.5 million unsalted passwords were released into the wild.
Things look a lot bleaker now. The leak is confirmed on a site called LeakedSource that we are taking at its word.
"LinkedIn.com was hacked in June 2012 and a copy of data for 167,370,910 accounts has been obtained by LeakedSource which contained emails only and passwords," said the LeakedSource report.
"You can search the hacked LinkedIn.com database and many others on our main site. If you are in this database, contact us and we will remove you from our copy for free.
"Passwords were stored in SHA1 with no salting. This is not what internet standards propose. Only 117 million accounts have passwords and we suspect the remaining users registered using Facebook or some similarity."
Again, stupid passwords were used. LinkedIn has a list of some of the most prevalent and right there at the top is our old favourite '123456' which is used by three quarters of a million people. Second is 'Linkedin' and third is 'Password'. We stopped reading there because we were weeping.
To be fair to LinkedIn, the company advised users in 2012 to choose their passwords carefully, and this was before the hack. It had some good tips that, on reflection, it might as well have shouted into a toilet.
In a statement sent to the INQUIRER, the firm reiterated this advice, but said it is not yet sure that a new breach has occurred.
"We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is a result of a new security breach," a LinkedIn spokesperson said.
"We take the safety and security of our members' accounts seriously. For several years, we have hashed and salted every password in our database; and we have offered protection tools such as email challenges and dual factor authentication.
"We encourage our members to visit our safety center to ensure they have two-step verification authentication and to use strong passwords in order to keep their accounts as safe as possible."
Other people are very much in comment mode, too. Brian Spector, CEO at security firm MIRACL, explained that this is bad news for LinkedIn and another kick in the teeth for passwords.
"Besides causing a major headache for LinkedIn, this hack demonstrates how data theft and identity fraud is a multi-billion dollar business on the dark web, and that consumers must be vigilant," he said.
"In truth, passwords are a relic from a bygone age, and they simply don't provide adequate protection for the volume of information we all store and access online today. They don't scale for users, they don't protect the service itself and they are vulnerable to myriad attacks."
Spector advised anyone with a LinkedIn account to change their password for this account and for any other website where they may have used the same password.
"Unfortunately, the truth is that most of us probably already have some sort of private information floating around on the dark web, and as long as we use this outdated username and password system we will read a lot more of these headlines," he said. µ
Welcome to the dystopia Black Mirror warned us about
Microsoft in 'more helpful' shock
A whole new way to be tied to your ISP
Search giant puts Epyc chips at the heart of its datacentre servers