LinkedIn Password Thief Jailed

Written by

A cyber-criminal who hacked into multiple tech companies and stole 117 million LinkedIn passwords has been sentenced to more than seven years in prison by a US district judge. 

Yevgeniy Alexandrovich Nikulin was found guilty by a jury in July this year of breaching the internal networks of LinkedIn, Dropbox, and the now defunct social networking company Formspring. 

The 32-year-old Russian national exfiltrated the user databases of the companies he compromised, then sold the information on the dark net. 

The malicious hacker compromised all three companies in the spring of 2012, breaking into LinkedIn between March 3 and March 4. He gained access to the company's internal network by infecting the laptop of an employee with malware that enabled him to exploit the victim's VPN.

Nikulin stole LinkedIn user data that included millions of usernames, passwords, and emails, then used it to launch spear-phishing attacks against employees at other companies. One company he skewered with this strategy was Dropbox. 

After breaching the account of a Dropbox employee, Nikulin was able to access a folder containing company data between May 14 and July 25, 2012. Court documents state the bad actor stole data on 68 million Dropbox users. 

Using the same ruse, Nikulin was also able to spear the account of an engineer working for Formspring. Between June 12 and June 29, 2012, the cyber-criminal is believed to have accessed the records of 30 million Formspring users.

Nikulin was also found guilty of hacking his way into parent company Automattic, though no evidence of data theft from this company was found. 

Trial documents show that Nikulin was resident in Moscow when he committed these offenses. The information he swiped was advertised for sale on the dark net in 2015 and 2016 by various traders in illegal data. 

The Russian national was arrested while on holiday in Prague in October 2016 as part of an international operation involving the FBI. He was extradited to the United States in 2017. 

On Wednesday, US District Judge William Alsup sentenced Nikulin to 88 months in prison. Alsup said he hoped the sentence would deter others from committing similar crimes.

What’s hot on Infosecurity Magazine?