News

Actions

Security expert: LinkedIn password breach bigger

Security expert: LinkedIn password breach bigger
Posted at 8:00 AM, May 23, 2016
and last updated 2016-05-23 10:00:30-04

Quick, what was your LinkedIn password in 2012? OK, now think of every password you use for every service, and make sure that LinkedIn password isn’t reused anywhere.

If ever you needed a reminder not to reuse passwords, here it is. We knew that LinkedIn got hacked in 2012, but at the time we thought only 6.5 million passwords were stolen. Now, we’ve learned the real figure was more like 100 million-plus. That means your old LinkedIn password — and any derivations of it — should not be used anywhere else. You already knew that, but now you really know.

A security researcher found an ad May 19, 2016 posted by a hacker offering a list of 167 million LinkedIn passwords for sale for about $2,300. LinkedIn confirmed to Ars Technica on Wednesday that it knows an “additional set of data has just been released.” It’s working to invalidate any passwords on the list that might still be in use. Because of duplicates, etc., the real number is probably far less than 167 million, but it’s certainly much larger than 6.5 million.

Of course, LinkedIn can’t help with other services where you might re-use its password. And you probably forgot it anyway. (Sadly, computers never forget these things.) Even if you only signed up for LinkedIn once, back in 2012, and never used it again, the password you set at the time is now poisoned.

There is no need to panic. No doubt, whoever had this list had wrung all the value out before offering it for sale – probably many times over. If it were really a gold mine, it likely wouldn’t be for sale at $2,300. Most of the user/password combinations in there have no doubt already been tried at other websites.

Still, your job today is to think about all the critical sites you use — places where you keep and spend money (banks, Amazon) — and make sure those passwords are clever and fresh. Then let your mind wander to places where hackers might make bank by scrolling through your digital life: Hacking into your email account, for example, or even your Facebook account. Using your email, they could reset passwords at your bank. Using Facebook, they could trick friends into sending money — or just embarrass you.

Doing that kind of security inventory is a good exercise at any time. But today presents a great reminder.

“There needs to be a sense of heightened security every day when it comes to cyber attacks and thinking passwords could be stolen,” said John Peterson, Vice President of Enterprise Products at cyber security company Comodo. “Consumers, small businesses and large enterprises all need to understand that criminals have established, working organizations with paid hackers, spammers and phishing experts who think of ways to steal and leverage passwords, bank records, Social Security numbers, company trade secrets and data, and credit card and financial data every minute of every day.”

[Editor’s Note: Remember, if you have reason to believe you’ve been a victim of fraud, it’s crucial to check your credit. Specifically, you should keep an eye out for sudden drops in your credit score, mysterious accounts opened in your name and unknown addresses. You can check your credit by pulling your reports for free each year at AnnualCreditReport.com and viewing your scores, updated monthly, for free on Credit.com.]

This story originally appeared at credit.com.

More on Identity Theft:
Identity Theft: What You Need to Know
How Do I Dispute an Error on My Credit Report?
3 Dumb Things You Can Do With Email