Back in June 2012, LinkedIn was hacked by Russian hackers who stole approximately 6.5 million usernames and passwords. At least that is what was reported at the time.
However, in May 2016 it was ‘discovered’ that a further 100 million email address and passwords had been taken in the attack. This reveals what was a bad security incident to actually be a really, really bad security incident.
At the time of the original lesser breach notification, the 6.5 million compromised LinkedIn users were prompted to change their passwords, and within a few months, the incident was largely forgotten. Fast forward about four years, and this breach seems to be coming back to immediate. significance. The further 100 million compromised accounts had their passwords invalidated by LinkedIn if they had not been changed since the 2012 breach.
Since the beginning of June, Layer3 has started observing issues with TeamViewer, a popular tool for remotely accessing devices such as servers. It seems that TeamViewer accounts were being compromised. When the issue was finally publicly addressed, TeamViewer has stated that this is due to LinkedIn’s hacked information becoming public.
Then, last night, that database of 100 million accounts was made public, published online. Anyone can get a copy of it with passwords in plain text. The implications of this are massive. Even if an affected user has since changed his/her LinkedIn password.
In a world with tons of logins required for a multitude of sites and services used daily, weekly, monthly or just occasionally, it is common practice for many users to simply recycle a memorable password over and over again across the board. However, when one of those sites is breached, as LinkedIn was, just getting what might seem like pretty harmless information – your email address and password for that site – can in fact, provide hackers all they need to break into every other account you have. For example, if your email account is compromised, hackers can then reset passwords to other services you may have. Password resets will be sent to your compromised email account, allowing the hackers to compromise these services as well. Imagine having a bunch of individually locked doors but using the same lock and key on all them. If some is able to get a copy of that one key, they just unlock every door with ease.
Since the release of the LinkedIn database last night, I have had multiple attempts to access internet accounts associated with my LinkedIn login credentials. Luckily, I had changed my password using long pass phrases some time ago.
What do you need to do now? We highly recommend that you change your password for all internet services, using something like pass phrases. Make sure that the password is different for every service. It might be a bit of pain, but it definitely will be less of a pain than trying to undo whatever trouble hackers are able to cause by accessing your accounts. Even if you have changed your LinkedIn password since 2012, it is possible that you may have used that old password other sites and services, so let this be your prompt to do a password refresh across the board.
If you have trouble remembering these passwords, there are services out there that store your passwords in a secure database, such as LastPass.
To see if you email address and password have been compromised, check https://haveibeenpwned.com/https://haveibeenpwned.com/