Updated on April 19, 2018 by UpGuard
Chances are, if you've any semblance of a professional life, you probably have a corresponding LinkedIn account to show for it. And if that's the case, your data was likely stolen in the massive 2012 data breach, now thought to be more expansive than originally posited. Last week, the world's largest professional social network sent out a notice stating that its initial announcement of 6.5 million stolen passwords turns out to be quite off—by about 110.5 million.
LinkedIn announced last week that it discovered 117 million of its user's passwords for sale on the black market—a bounty that was apparently not part of a new data breach, but rather—netted as part of its massive 2012 breach. Here's an excerpt from LinkedIn officials' response:
"On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach."
The professional social network site has since been criticized for using weak SHA1 encryption to store passwords prior to 2012. Its methods have presumably been updated since; of course, this is of no consolation to the 117 million compromised users whose accounts were part of the original 2012 data breach treasure trove.
LinkedIn data for sale. Source: @TroyHunt / Twitter.
A word of caution: if you did not receive an email notification like the one below, your data may have still been compromised in the breach.
An excerpt from LinkedIn's recent data breach notification email.
As reported by our colleague Troy Hunt, a large swathe of LinkedIn users that were part of the data breach did not receive notifications; oddly enough, some non-LinkedIn users reported getting an email notification from the social network, despite not owning accounts.
Countermeasures and "LinkingIn" Securely
It's not surprising that the world's largest professional social network—a virtual Fort Knox of high-value data—proved too tempting of an opportunity for cyber attackers to pass up. To be fair, data breaches are inevitable, even for the most low-profile of organizations. And though LinkedIn has drawn criticism for the circumstances around the breach, its past encryption methods, as well as its handling of the event (both back then and 4 years later), at the end of the day users are responsible for protecting their own data.
Expect phishing occurences to rise as LinkedIn users—and apparently even non-account holders—are informed of the latest data breach news. Cyber attackers will attempt to capitalize on the preponderance of LinkedIn security notifications floating around, so be sure to validate that emails coming from your social networks and online services are legitimate. It may also be an opportune time to employ two-factor authentication for your critical online services and favorite SaaS apps. And last but not least, change all account passwords (yes, all of them) if you haven't done so already.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.