Cybersecurity Insight

Stolen Passwords from LinkedIn Resurface on the Dark Web

19 May

If any one of your account passwords had been stolen, would you be able to put a price on it? Plenty of stolen passwords, with and without usernames attached, are up for grabs across the Internet. The most recent treasure trove comes from a years-old LinkedIn security breach, showing that even after almost half a decade, past attacks are always lurking.

About four years ago, a great deal of passwords were stolen from LinkedIn. While initial numbers hovered at 6.5 million users’ details, the amount of information for sale currently contains 167 million accounts. The (slight) silver lining is that only 117 million leaker user accounts have both usernames and passwords. The charming mastermind behind this sale, a user by the name of “Peace” (how ironic), is asking for 5 bitcoins – the equivalent of USD$2,300. Though no one has stepped up to buy the bundle of stolen passwords and usernames just yet, it’s only a matter of time. Plus, it should be noted that these passwords are “unsalted SHA-1 hashes” – they lack the “salt”, or extraneous data sometimes attached to passwords that would normally make them harder to decode.

So, how is LinkedIn responding this time around? Beside releasing a blog post, emails were also sent out to users with specific information on changing passwords and creating a two-step verification process. Creating a new password is one thing, but creating a strong password is the significant difference – a lot of the passwords that leaked were as simple as “password” or “linkedin”. Instead, focus on replacing letters with numbers, random capitalization, punctuation marks or even using an entirely different language.

While this particular leak doesn’t have much to do with LinkedIn’s current security protocols, it shows that “protected” data from a leak four years prior managed to stay dormant and resurface – and for a price many would pay to exploit private personal details. This event makes a great argument for cyber security protection – whether you’re a big or small organization, any details can be stolen and posted online for the world to see if you don’t have the right cyber guards in place.