The 2012 hack of LinkedIn is coming back to haunt the social media company again. It says that an additional data dump stemming from the breach has been leaked online—containing credentials for more than 100 million LinkedIn members.
“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations…from that same theft in 2012,” the company said in a posting. “We have no indication that this is as a result of a new security breach.”
LinkedIn said that it was taking “immediate steps” to invalidate the passwords of the accounts impacted, and that it’s contacting those members to reset their passwords.
In 2012, LinkedIn admitted that it was the victim of an unauthorized access and disclosure of what it said was 6.5 million members' passwords on a Russian hacker site. At the time, its immediate response included a mandatory password reset for all accounts believed to have been compromised as a result of the unauthorized disclosure.
A class-action suit was filed (and later dismissed) that brought to light some of the company’s security practices. Specifically, the complaint alleged that LinkedIn failed to use a combination of hashing and salting to secure user passwords, resulting in the exposure of passwords to hackers.
“LinkedIn violated its own User Agreement and Privacy Policy by failing to utilize long-standing industry standard protocols and technology to protect Plaintiff and the Class members’ PII [personally identifiable information]’, the complaint alleged.
“LinkedIn failed to use a modern hashing and salting function, and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of security,” the petition added.
Since then, the company has gotten more with the program. It now has hashed and salted every password in the database, and has implemented protection tools such as email challenges and dual factor authentication. However, the fact that it didn’t realize the extent of the breach sparked some concern in the security community.
"The revelation of the magnitude of this breach is very disturbing,” said Brad Taylor, CEO, Proficio, via email. “First, has LinkedIn been fully transparent with its users? Hopefully, users changed their passwords on the initial disclosure, but in the light of this news a stronger response should have ensued. Second, if LinkedIn is only now discovering the scale of data that was exfiltrated from their systems, what went wrong with the forensic analysis that should have discovered this?”
Pierluigi Stella, CTO at Network Box USA, believes that LinkedIn genuinely might not have known the extent of the breach.
“This is interesting. First of all, I never realized LinkedIn had so many users,” Stella said. "Aside from that...many companies claim they’re able to detect a data breach immediately or reasonably quickly. My comment? These companies are either delusional or living in a different world.”
Photo © seewhatmitchsee/Shutterstock.com