Three lessons from the LinkedIn data breach

Unless you’ve been living under a rock for the past few weeks, you’ll undoubtedly be aware that LinkedIn is back in the media spotlight, and once again, it’s for all the wrong reasons.

Back in 2012, the business-oriented social networking platform fell victim to a data breach that resulted in more than 6.5 million of its users’ details being stolen and uploaded to a Russian hacker forum. At the time, the threat level was not deemed to be severe, due to the fact the breach affected less than 5% of LinkedIn’s userbase. However, more recently it has come to light that the breach was more significant than first thought – over 100 million records more significant, to be more specific. By today’s standards, that accounts for over a quarter of all LinkedIn users.

On May 18, Cory Scott, CISO, LinkedIn wrote on the company blog; “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.”

Motherboard reports that the hacker responsible for the 2012 attack, who goes by the name Peace, is selling the stolen data on the dark web for for 5 bitcoin, the equivalent of around $2,200. LeakedSource, a leaked data search engine, also claims to have access to the stolen records, and told Motherboard, that at the time of writing, 90% of the encrypted passwords had been cracked in just 72 hours.

So what lessons can be learned from this data breach?

1. Good password management is essential  LinkedIn has been criticized for the manner in which it handled communications with its users in 2012; at the time, the company claimed to have notified all users affected by the breach, and advised that all users to change their passwords, but many say they did not receive such a warning until days after the breach was identified, and others say they received no communication from LinkedIn at all.
   
   Updating passwords regularly minimizes the risk of unwanted exposure, regardless of whether a data breach has occurred or not. Being proactive with password management is essential, because as the above goes to show, you can’t always rely on the service provider to keep you notified if your information is lost or stolen.

   For further advice, check out our tips on creating strong and memorable passwords.

2.  Two-factor authentication is a no-brainer   Two-factor authentication, often abbreviated as 2FA or TFA, is becoming an increasingly common practice online. Put simply, two-step authentication adds a second level of authentication to an account login, which in theory makes it more difficult for hackers to gain entry. A password on its own would be considered single-factor authentication. Examples of second factor authentication methods include PIN numbers, sent to the user via SMS, or voice or fingerprint recognition.

   Most web-based platforms now offer some kind of two-factor authentication process – Twitter, Google & Amazon being well-known examples – however, it is not always mandatory for the user to have it turned on. For those who value their privacy, utilizing two-factor authentication should be a no-brainer.

3. Encryption does not guarantee privacy   Encryption works by scrambling data so it is unreadable by unintended parties. This, in theory, keeps data protected even if it falls into the wrong hands. In practice, encryption can take many forms, and as the LinkedIn case has demonstrated, even encrypted data can be cracked easily enough by those with the skills to do so.

   Trent Telford, chief exec at Covata had this to say on the matter; “while the passcodes were protected with a level of encryption, it’s clear that this was no where near robust enough to properly protect user details… If this latest breach teaches us anything, it’s that all encryption wasn’t created equal”.  Source: http://www.theregister.co.uk/2016/05/19/linkedin_breach/