Where were you in 2012?
If you were on LinkedIn back then, there’s a good chance that your password is for sale in a huge password data dump on the dark web at this very moment. (If you remember back to the Ashley Madison hack last summer, a data dump is basically what it sounds like – lots of information getting uploaded, or dumped, onto the web). Back in 2012, the business-oriented social network was hacked and at the time it was estimated that 6.5 million passwords had been stolen. A huge number to be sure, but nothing on the scale of say, the Adobe hack in 2013 when 153 million Adobe user accounts were hacked and dumped.
Well now, four years later an anonymous hacker using the moniker “Peace” has confirmed to tech news website Motherboard that he is selling the information from the hack in a huge data dump on a dark web forum called The Real Deal for a mere 5 BTC ($2200).
And apparently, LinkedIn’s own approximation of the scope of the breach was just a wee bit off.
By almost 60 million accounts, that is.
More accounts, less salt
It seems that the passwords and email addresses associated with 165 million Linkedin accounts are being sold on the dark web, which includes 117 million already-cracked passwords and their correlating email addresses. And while the network did use some level of password encryption to protect passwords if their databases were ever breached, salting (adding more scrambled variables to encrypted data to encrypt it further) was not used, and therefore their method of storing passwords was not up to internet standards.
Instead, passwords were stored using a hashing method called SHA1. In normal people speak, hashing means taking a value (say a password for example, like iL0v3_mYd*g$paRky) and turning it into a string of numbers which represents the original value. SHA1, which stands for Secure Hash Algorithm was designed by the NSA to maintain data integrity but was found to have flaws in 2010 and fell out of use.
Well, except by LinkedIn, that is.
At the time of the hack, LinkedIn issued a statement saying that they would be resetting all affected accounts and they have announced that they plan on resetting all current accounts now as well.
It’s not just LinkedIn – Instagram’s got more holes than Swiss Cheese
And somewhere, on the other side of the social media spectrum lies Instagram, the teen and millennial-infested picture and video sharing network.
Just this week, a bug bounty hunter (a so-called “ethical hacker” who hacks websites and reports his or her findings back to website owners before anyone else can find the vulnerability and exploit it) disclosed a major vulnerability within the selfie-happy platform that allowed him to take over accounts.
According to researcher Arne Swinnen who discovered the holes, because of Instagram’s weak password policy and lack of 2-factor authentication, combined with the facts that Instagram’s usernames are open to the public and there is no account lockout policy (this is what disables accounts if the incorrect passwords is entered a specified amount of times) he was able to crack user accounts and overtake them.
On his security blog he writes “exploitation of these issues could have resulted in the compromise of millions of the 400+ million active Instagram accounts – especially those with predictable passwords”
Facebook, who owns Instagram responded by patching the vulnerabilities and tightened password requirements ever so slightly.
What does all this mean for you?
You might not have a LinkedIn account and maybe you’ve never even heard of Instagram. It really doesn’t matter because what both incidents prove is the importance of developing smart security habits, especially when it comes to passwords. Here are some tips to make sure your login information and passwords are more secure:
- Change your LinkedIn password – If you had a LinkedIn account back in 2012 and you haven’t changed your password since then, you should change it ASAP. And even if you have changed your password since then but are in the bad habit of reusing passwords on multiple sites, change it on those sites too. It’s clear that the hackers plan on using the dumped data to access user’s accounts on other common platforms like Facebook and Gmail
- Set up 2FA – Now is the perfect time to start implementing 2-factor authentication for all your accounts, including banking sites, social media and email. 2FA works like this – instead of just entering your username and password when logging onto websites, you would also have to enter in another piece of information such as 4-digit PIN number, an answer to a security question, a biometric factor like a fingerprint among other elements you can choose from.
True, this adds on an extra step in the login process, but it also means that if your passwords ever end up in a data dump or if they are cracked in a massive brute force attack, hackers will still need to do plenty of hard work to access your accounts. PCMag offers a huge amount of information on how to set up 2FA on some of the most commonly logged-onto websites.
- Use better passwords – Don’t roll your eyes – passwords are an integral aspect of digital security, yet so many people take the easy and very dangerous way out by using and reusing short and easy-to-remember (and therefore, easy-to-crack) passwords.
Hackers know that most people use common word and letter combinations like iloveyou123, passwrd1 or some variation of that concept. Using sophisticated cracking software, they can guess most passwords in a matter of a few moments. You can make their job harder by using more solid passwords.
According to current research being conducted at MIT, because the hacker’s password-guessing software is so advanced, using capital letters dispersed throughout passwords, as we have always been instructed to do, is less of a sure bet than it once was. According to their research, based on password-cracking software and a publicly available password dump containing over a million hacked accounts, a better bet is to make sure passwords are long, perhaps overly long and include numbers and symbols. And if you ask us, it can’t actually hurt to throw in a few capital letters, just make sure they are placed in the middle of the password, rather than at the first or last letter.
- Set up a password manager. This is one super-simple security practice that most people don’t do and experts swear by (okay, full disclosure, there are some who don’t love password managers because, in theory, if everything is hackable to some degree, so are password managers. Touche, but it’s still better than not having one, duh).
Password managers help you create strong, unique passwords and then store them automatically in your own cloud-based vault and even store them on sites you use. In turn, those passwords are stored behind one super-solid password that you create. Getting set up doesn’t take a lot of time and can save tons of heartache down the road. Check out some great free options and get yours set up asap.
How to check if you were involved in the LinkedIn data dump
If you want to find out if your account was included in the colossal LinkedIn data dump, you can check out security expert Troy Hunt’s website haveIbeenpwned where he has uploaded all the data from the dump. By entering in your email address, you can see if you have information from a bunch of recent major data dumps floating around the dark web. It’s easy to check – Just enter in your email address and hold your breath while the site searches millions of records. If you find that your email address is associated with a hack, take special care to change all your usernames and passwords asap.
Then go set up that password manager and 2FA for all your logins. We promise you won’t regret it.