![]() ![]() “At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure.”ĭid they download the 6.5 million leak and use that to figure out who they thought were compromised? I honestly have to say that I would have initiated a forced password reset of those 6.5 million accounts/hashes FIRST, and then for security’s sake, the remaining 115 million-or-so accounts after that.Ĭhanging the password hashing algorithm used for storing passwords would also be done quickly. Let me add comments to their statements from their official blog: In the case of Linkedin in 2016, I was baffled. Having worked for the largest IT outsourcing & financial services provider in Norway, as well as helping out quite a few customers other places, I think I know a bit about “reading between the lines”. ![]() I am fascinated about official statements when something has gone FUBAR. Linkedin responds, and they have a statement and update on their official blog. The past called, and wanted to come visit. They really should learn more about how the internet works. I think shareholders in major service providers expect this as a mandatory move for damage control. Of course Linkedin does a Barbra Streisand, and ask lawyers to remove the leak from the internet. Oh, and you should read how Troy Hunt verifies data breaches. Oh yes, so do I, but I really try to live by a certain ethics code. The infosec world has a taste for blood, just like most others. The rat race begins comments, expert analysis, sample dump analysis, “who has the complete dump available? anyone? link? Plz?”. Motherboard breaks the news, the complete dump from 2016 seem to be up for sale. Because in my experience even a breach notification won’t make people choose a completely different password. Joseph Bonneau, at the time a PhD student at Cambridge, wrote on his blog “…so we might project that the LinkedIn leak represents closer to 12.5 million users if the password distributions are similar”.īased on this guesstimate alone, I’m curious on how many accounts Linkedin actually initiated password resets for, and I’m curious if they kept any password history at the time to prevent users from reusing old passwords. However 6.5 million users were far from the truth.Īs we know now, it looks like their entire user database at the time were breached. Some of those were mangled, so the real number was a bit lower. That number was actually number of unique unsalted SHA-1 hashes. One of the fascinating things about the breach back in 2012 is that 6.5 million compromised accounts became the official number of compromised users. As far as I remember it wasn’t even peanuts, and only applicable to paid (=premium) account holders. They really should be more prepared, and they should practice often. To the defense of Linkedin: most organisations are not prepared for incidents like this. How long would you expect to wait before your credit card provider notified and cancelled your card after they knew it had been compromised? From my perspective it didn’t look like they were prepared for something like this to happen. I waited days before my password reset email finally came through. When people logged on to change their password and got news stories about Linkedin being hacked, there was no mandatory or even “For security reasons we encourage you to change your password now”. On the contrary, I was closer to shocked. I was never impressed with the way Linkedin handled the incident. Temporary conclusion at the time: “if you suddenly hit jackpot and got access to millions of accounts but were not prepared for it, how could you possibly abuse as many of them as possible before they get disabled or have their passwords changed?”. However we didn’t see or hear about any high-profile account takeovers. Because people reuse passwords across multiple services. The leak was out, and although it only contained unique SHA-1 hashes (=unique passwords), they could still serve as input for online password guessing against accounts across multiple services. I have to admit that I spoke with Dan Goodin about the leaked data, and something that baffled at least me. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |