Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Privacy

LinkedIn User? Your Data May Be Up For Sale (zdnet.com) 72

An anonymous reader cites a ZDNet report: Reports indicate that a LinkedIn data breach may have led to the sale of sensitive data belonging to 117 million users. The company's website experienced a data breach in 2012, but the true consequences of the breach are only now becoming apparent. Users of LinkedIn's website in 2012 discovered that roughly 6.5 million user account passwords were posted online, and the company never completely confirmed just who was impacted by the security incident. However, a hacker called "Peace" told the publication that this information is being sold on the dark web for roughly $2,200, and paid hacker data search engine LeakedSource also claims to have the data. Both sources say there are approximately 167 million accounts in the data dump, 117 million of which have both emails and encrypted passwords.LinkedIn has acknowledged the breach. In a blog post, the company writes: Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.
This discussion has been archived. No new comments can be posted.

LinkedIn User? Your Data May Be Up For Sale

Comments Filter:
  • by __aaclcg7560 ( 824291 ) on Wednesday May 18, 2016 @11:07AM (#52135633)
    Hackers already got my background investigative interview file from the government. LinkedIn data will confirm my employment dates.
    • This did serve as a reminder that I should change my LinkedIn Password though :)

      • by dbIII ( 701233 )
        Also don't forget to distinguish between the title that girl in HR gave you and your actual qualifications. A leading hand among a group of programmers that you have no authority over is not an "engineer" outside of your little bubble.
        • Based on the various titles in the HR system at my job: I'm a computer engineer doing senior system admin tasks at a desktop tech pay rate.
          • by dbIII ( 701233 )
            Yes but you do not turkey slap readers with your HR granted job title every post or say "I know about steel in fires I'm an engineer" in 9/11 conspiracy threads - which would be fair enough if he actually was an engineer and in the correct field since I've helped with a fire investigation myself.
            • which would be fair enough if he actually was an engineer

              What exactly makes a Systems Engineer (of which I am one) not a true engineer? What do you think Systems Engineers do?

              The term Engineer is used in many different fields, would you say that the guy who runs a train isn't a railroad engineer because he hasn't achieved the professional engineer certification?

              • by s.petry ( 762400 )
                Train engineers and Systems engineers have certifications (certain positions and places require them, like Government). Alas that does not matter to a person who has trolled my posts for years because I dared to question several aspects of the Government report on 9/11. According to the troll, questioning the narrative is "dishonoring the dead" and only done by a traitor. Questioning is worthy of a punishment by years of trolling. It's like that kid with autism that can do one thing over and over and so
                • A lot more than that. You dared to use your HR granted title to try to pretend you knew about what happened with structural steel in fires - "I'm an engineer" you wrote when questioned about how you "knew" that steel doesn't soften with heat like every kid that's seen a horseshoe made would know. Such actions damage the reputation of those who have the title of engineer granted to them by a professional body.

                  dishonoring the dead

                  Indeed - using them as an excuse to rant against the government and pretend th

              • by dbIII ( 701233 )
                He isn't one - leading hand of a group of programmers. HR gave him a fancy title.
  • by thegarbz ( 1787294 ) on Wednesday May 18, 2016 @11:12AM (#52135679)

    How does LinkedIn have any sensitive data? All the data I put up there I did so specifically to share with as many people as possible with the hope of getting job offers.

    Please sell away. Hell give it away.

    • by Anonymous Coward on Wednesday May 18, 2016 @11:34AM (#52135903)

      They have your username+password (hashed with the weak SHA1, and probably unsalted). They probably know your current employer too.

      If you used that password (or a variation of it) somewhere else - say, in a critical system owned by your employer - it's time to change it. Like, now.

      • AIUI, SHA1 is weak in that it's possible to find collisions, not in that it's easy to find the original password.

        • by imidan ( 559239 )

          True, but if your password is ten or fewer characters in length, then it can likely be found in an SHA1 rainbow table, which are readily available. FTFA, it sounds like LinkedIn doesn't salt their password hashes, so it turns out to be trivially easy to crack most shorter passwords just given the hashed value.

          • Wouldn't it be possible to make rainbow tables for other hashes also? I see the problem, but I don't see how it matters whether it's a weak or strong hash.

            • by imidan ( 559239 )

              Certainly it's possible, and they're readily available. It seems to me that it's less important in this case that they used SHA1 and more important that they didn't salt. If they had salted their passwords, even if the attackers managed to learn the salt value they would still have to generate a whole custom rainbow table just for that password table. And that takes a lot of computational effort, especially for longer passwords containing a variety of non-alpha characters.

              I suppose that there are other prob

      • If you used that password (or a variation of it) somewhere else - say, in a critical system owned by your employer - it's time to change it. Like, now.

        Actually please don't. People like this should learn their lesson even if it costs them their jobs.

    • by Anonymous Coward

      These come to mind:

      1- People often use the same credentials for different accounts.
      2- A lot of information, albeit no SSN, towards identity theft.
      3- Private messaging may contain sensitive private information.

      Personally, I'm on the side that Facebook, Google+, Linkedin, etc should just be used as public facade...

      • Personally, I'm on the side that Facebook, Google+, Linkedin, etc should just be used as public facade...

        I entirely agree. I assume that any information I put on any of those is publicly available. It may not be, but I'm not going to count on it.

    • Not everyone wants to make all their personal data on LinkedIn publicly available to everyone. Doing so makes you look desperate.

      • Again, what personal data do you have on LinkedIn which isn't up there with the express purpose of advertising to the world who you are? This isn't Facebook or Tinder.

  • No shit sherlock (Score:5, Insightful)

    by BitZtream ( 692029 ) on Wednesday May 18, 2016 @11:14AM (#52135697)

    If you're a linked in user, YOUR DATA IS UP FOR SALE

    Its in the terms and conditions. They've been doing it since day one, its their business model, its well known.

    Now you're concerned that someone else stole it and is selling it?

    You put the data on a public website with the intention of showing it to others. There is no reason for you to be doing anything on linked in that you do not intend to be public.

    How can they 'steal' data that you are intentionally begging people to take? Thats the point of linked in to its users, YOU WANT PEOPLE TO 'STEAL YOUR DATA' on linked in.

    Do you guys get shocked when you write your name and phone number on the bathroom wall and then random people call you? Thats how stupid this story is.

    • by cdrudge ( 68377 )

      If you're a linked in user, YOUR DATA IS UP FOR SALE

      There's no need for the if statement. It's an unnecessary comparison since YOUR DATA IS UP FOR SALE on the internet.

    • There's private portion of this "public" service, which is conversations between users. And that piece is "released" too.

    • Yes sir, a unique email alias I created for linkedln exclusively started receiving spam in July 2014.

      I reported this breach to linkedln, they never responded. I guess it took them a couple of years to get a clue. I immediately changed email alias address, so far no more spam, thus it appears to be a one time(so far) event.

      Fortunately I use linkedln sparingly, just some friends and family, thusly had very little information stolen. I always assume that these high profile services, like linkedln, are goi

  • by argStyopa ( 232550 ) on Wednesday May 18, 2016 @11:15AM (#52135707) Journal

    It's Linkedin.

    The question isn't IF your data is for sale, it's whether Linkedin is selling it directly or whether a hacker's taken it and is selling it for cheaper.

    So really, Linkedin's bitch is actually that they're probably being undercut in the marketplace.

    • Indeed. Whats that adage about "if it doesn't cost you anything then you are the product being sold" ?

  • by Solandri ( 704621 ) on Wednesday May 18, 2016 @11:31AM (#52135883)
    Isn't Linkedin the site where if my friend joins and leaves a box checked because he didn't read carefully, they download his entire contact list and spam all of his contacts, and I repeatedly get emails saying that he's joined and I should join too?

    Handing your info to a company whose ethical standards allow them to pull shenanigans like this is pretty much the same thing as hackers getting your info.
    • by OzPeter ( 195038 )

      Isn't Linkedin the site where if my friend joins and leaves a box checked because he didn't read carefully, they download his entire contact list and spam all of his contacts, and I repeatedly get emails saying that he's joined and I should join too?

      I thought that was FB

    • by WallyL ( 4154209 )

      No, LinkedIn is the site where [somebody who thinks he recognizes your name] joins and leave a box checked...

      FTFY

  • The hackers will probably sell it less and take better care of it than Linkedin did.

Keep up the good work! But please don't ask me to help.

Working...