LinkedIn User? Your Data May Be Up For Sale (zdnet.com) 72
An anonymous reader cites a ZDNet report: Reports indicate that a LinkedIn data breach may have led to the sale of sensitive data belonging to 117 million users. The company's website experienced a data breach in 2012, but the true consequences of the breach are only now becoming apparent. Users of LinkedIn's website in 2012 discovered that roughly 6.5 million user account passwords were posted online, and the company never completely confirmed just who was impacted by the security incident. However, a hacker called "Peace" told the publication that this information is being sold on the dark web for roughly $2,200, and paid hacker data search engine LeakedSource also claims to have the data. Both sources say there are approximately 167 million accounts in the data dump, 117 million of which have both emails and encrypted passwords.LinkedIn has acknowledged the breach. In a blog post, the company writes: Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.
Not a big deal... (Score:5, Funny)
Sad but true (Score:2)
This did serve as a reminder that I should change my LinkedIn Password though :)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
which would be fair enough if he actually was an engineer
What exactly makes a Systems Engineer (of which I am one) not a true engineer? What do you think Systems Engineers do?
The term Engineer is used in many different fields, would you say that the guy who runs a train isn't a railroad engineer because he hasn't achieved the professional engineer certification?
Re: (Score:2)
Your post was about job titles (Score:2)
Indeed - using them as an excuse to rant against the government and pretend th
Re: (Score:2)
What sensitive data? (Score:5, Insightful)
How does LinkedIn have any sensitive data? All the data I put up there I did so specifically to share with as many people as possible with the hope of getting job offers.
Please sell away. Hell give it away.
Re: (Score:1)
This. Isn't the whole point of linked in to get people to contact you with job offers?
Yes, it is, which makes it a bad idea for someone to pester your network and others with spam using your login.
Re: (Score:1)
Resume Required (Score:3)
There is a whole lot of data in a Resume, which people post to LinkedIn as it is required for job hunting. Sure, you can restrict access to viewers of your resume but they have _YOUR_ credentials so _YOUR_ resume can be easily accessed.
These hackers with your resume would have access to street addresses, phone numbers, email addresses, Twitter handles, and other aliases and information people normally include in resumes. It may not be your SSN and bank account information, but sure can be used for Social
Re: (Score:3)
I use LinkedIn as a address book more than anything else.
So it may be annoying if all the mail addresses of my contacts went widespread.
Re:What sensitive data? (Score:4, Insightful)
They have your username+password (hashed with the weak SHA1, and probably unsalted). They probably know your current employer too.
If you used that password (or a variation of it) somewhere else - say, in a critical system owned by your employer - it's time to change it. Like, now.
Re: (Score:3)
If someone claims to be an IT person but uses the same password on LinkedIn that he uses at work... I hope people aren't trusting him to do anything sensitive or important.
Re: (Score:2)
Lots of people who want to establish connections with me on LinkedIn aren't IT people.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
AIUI, SHA1 is weak in that it's possible to find collisions, not in that it's easy to find the original password.
Re: (Score:2)
True, but if your password is ten or fewer characters in length, then it can likely be found in an SHA1 rainbow table, which are readily available. FTFA, it sounds like LinkedIn doesn't salt their password hashes, so it turns out to be trivially easy to crack most shorter passwords just given the hashed value.
Re: (Score:2)
Wouldn't it be possible to make rainbow tables for other hashes also? I see the problem, but I don't see how it matters whether it's a weak or strong hash.
Re: (Score:2)
Certainly it's possible, and they're readily available. It seems to me that it's less important in this case that they used SHA1 and more important that they didn't salt. If they had salted their passwords, even if the attackers managed to learn the salt value they would still have to generate a whole custom rainbow table just for that password table. And that takes a lot of computational effort, especially for longer passwords containing a variety of non-alpha characters.
I suppose that there are other prob
Re: (Score:2)
If you used that password (or a variation of it) somewhere else - say, in a critical system owned by your employer - it's time to change it. Like, now.
Actually please don't. People like this should learn their lesson even if it costs them their jobs.
Re: (Score:1)
These come to mind:
1- People often use the same credentials for different accounts.
2- A lot of information, albeit no SSN, towards identity theft.
3- Private messaging may contain sensitive private information.
Personally, I'm on the side that Facebook, Google+, Linkedin, etc should just be used as public facade...
Re: (Score:2)
Re: (Score:2)
Not everyone wants to make all their personal data on LinkedIn publicly available to everyone. Doing so makes you look desperate.
Re: (Score:2)
Again, what personal data do you have on LinkedIn which isn't up there with the express purpose of advertising to the world who you are? This isn't Facebook or Tinder.
No shit sherlock (Score:5, Insightful)
If you're a linked in user, YOUR DATA IS UP FOR SALE
Its in the terms and conditions. They've been doing it since day one, its their business model, its well known.
Now you're concerned that someone else stole it and is selling it?
You put the data on a public website with the intention of showing it to others. There is no reason for you to be doing anything on linked in that you do not intend to be public.
How can they 'steal' data that you are intentionally begging people to take? Thats the point of linked in to its users, YOU WANT PEOPLE TO 'STEAL YOUR DATA' on linked in.
Do you guys get shocked when you write your name and phone number on the bathroom wall and then random people call you? Thats how stupid this story is.
Re: (Score:3)
There's no need for the if statement. It's an unnecessary comparison since YOUR DATA IS UP FOR SALE on the internet.
Re: (Score:2)
There's private portion of this "public" service, which is conversations between users. And that piece is "released" too.
Re: (Score:2)
Yes sir, a unique email alias I created for linkedln exclusively started receiving spam in July 2014.
I reported this breach to linkedln, they never responded. I guess it took them a couple of years to get a clue. I immediately changed email alias address, so far no more spam, thus it appears to be a one time(so far) event.
Fortunately I use linkedln sparingly, just some friends and family, thusly had very little information stolen. I always assume that these high profile services, like linkedln, are goi
Not a question of IF (Score:5, Insightful)
It's Linkedin.
The question isn't IF your data is for sale, it's whether Linkedin is selling it directly or whether a hacker's taken it and is selling it for cheaper.
So really, Linkedin's bitch is actually that they're probably being undercut in the marketplace.
Re: (Score:2)
Indeed. Whats that adage about "if it doesn't cost you anything then you are the product being sold" ?
Re: (Score:1)
which have both emails and encrypted passwords
that claims to be email and hashed password combinations
Well, which is it? Huge difference.
Not necessarily that much of a difference. Simple hash approaches are today fairly easily crack-able within reasonable time frames and success rate. You need an admin that is really on top of *recent* understanding of how to implement modern hash and salt algorithms and approaches if you should have the huge difference you claim and that is a rare beast indeed.
Aren't these the guys who... (Score:5, Insightful)
Handing your info to a company whose ethical standards allow them to pull shenanigans like this is pretty much the same thing as hackers getting your info.
Re: (Score:2)
Isn't Linkedin the site where if my friend joins and leaves a box checked because he didn't read carefully, they download his entire contact list and spam all of his contacts, and I repeatedly get emails saying that he's joined and I should join too?
I thought that was FB
Re: (Score:1)
No, LinkedIn is the site where [somebody who thinks he recognizes your name] joins and leave a box checked...
FTFY
LinkedIN (Score:2)
That's OK (Score:2)