Actu
117 Million LinkedIn Emails And Passwords For Sale - additional expert comments
May 2016 by
It has been reported that a hacker is trying to sell the account information,
including emails and passwords, of 117 million LinkedIn users. The hacker, known as
Peace, is selling the data on the dark web illegal marketplace, The Real Deal, for 5
bitcoin (around $2,200). Hacked data search engine, LeakedSource, also claims to
have obtained the data. Both Peace and the one of the people behind LeakedSource
said that there are 167 million accounts in the hacked database. Of those, around
117 million have both emails and encrypted passwords.
Lisa Baergen, director at NuData Security:
“I sound like a broken record; but here we are again. Just as consumers start to
feel secure, news of yet another breach hits the wire. No matter how long it takes
to come out, the bottom line is that you have to stop thinking “ what IF” and
accepting it should be seen as “ WHEN”…
Although usernames and passwords can be changed, victims of a breach need to
understand that every bit of information exposed is important and may sit dormant
for some time, but Will be sold in packages in the dark web and compiled you build
out solid profiles of your online IDENTITY. Fraudsters are learning that information
coupled from various breaches can create more comprehensive ’identity bundles’ which
sell for a higher value to hackers. With more complete information, more fraud can
take place.
As an example, if I’m a hacker and gain access to geographical data on John Smith
from breach one, and bank account information from breach two, I can fill out a loan
application or apply for a new credit card as John regularly would. Where credit
card fraud was all the rage a couple years ago, it is account takeover and new
account fraud that is on the dramatic rise. We saw in our own database of billions
of behavioural events annually a 10% month-over-month increase in new account fraud.
Fortunately, there are methods that online providers can take to help keep us
consumers safe, while giving true insight into who sits behind the device - and know
and trust it is not the hacker using all of our identity information online.
User behaviour analytics can provide victims of this and other breaches with an
extra layer of protection even after the hack has occurred. We need to put a stop to
these fraudsters in a completely passive and non–intrusive way to us, the
consumers. This is accomplished by understanding how a legitimate user truly
behaves in contrast to a potential fraudster with our legitimate information ripped
from all these breaches. Without even interrupting a user’s experience, fraud can
be predicted and prevented from occurring. The only way to achieve this is by truly
being able to identify the IDENTITY of the user behind the device.
Good luck hackers; you can keep stealing our data; but we are going to make this
data invaluable to you; and you can’t steal my behaviours! “
Rob Sobers, director at Varonis:
“The LinkedIn breach goes to show how a single significant breach can come back to
haunt a business (and its customers) again and again. It also highlights just how
in-the-dark companies typically are after a breach. After a breach occurs we usually
see a statement claiming that the security team has “isolated the affected
systems,” but seasoned security researchers know that far too often the scope and
severity of a breach is indeterminable due to a lack of comprehensive monitoring and
logging.”
Toni Gidwani, director of research at ThreatConnect Inc:
"What we are likely seeing here is the long tail of the 2012 LinkedIn breach. The
good news is that basic security practices, such a not reusing passwords across
different sites and leveraging two-factor authentication whenever possible - are an
effective way to both prevent unauthorized access to your accounts and to limit the
possible contagion when breaches occur.
The long lag time between the breach and passwords now appearing for sale suggests
the data has already been mined for other nefarious purposes. LinkedIn, with its
rich context of professional networks, is a gold mine for adversaries looking to
social engineer targets for future attacks. Which are you more likely to open: an
email from a Nigerian prince? Or a link in an article sent by someone you’ve
worked with for years? Four years after the fact, the breached data set still has
some nominal monetary value, which is why it’s for sale for only a handful of
bitcoin. But the trickier question is figuring out who has been exploiting the
breached data for the last four years and to what end."
Simon Crosby, CTO and co-founder at Bromium:
"LinkedIn has had an awful record of securing their service, and this appears to be
another confirmation that they operate without due care for the valuable information
they curate. I recommend that users be very cautious of using the service because
attackers will use compromised accounts to launch other attacks. Change your
password now."
