A recent incident involving LinkedIn, the business-oriented social networking service, is showing that data breaches can cause big problems for companies and consumers — even years after the breaches take place. On May 17, 2016, LinkedIn discovered that information stolen in a 2012 incident was being made available online, and notified site users immediately the next day about what happened and what they were doing to fix it.
In 2012, an alleged 117 million email and password combinations were stolen by hackers. At the time, LinkedIn issued a mandatory password reset for any accounts they thought were compromised; all LinkedIn members were encouraged to change their passwords as well, just in case.
Fast forward to present day, and the 2012 breach has come back to haunt LinkedIn. The stolen data popped up online, and in an e-mail to LinkedIn users sent on May 25, 2016, the company said the published information included email addresses, hashed passwords, and LinkedIn member IDs, which are an internal identifier LinkedIn assigns to each member profile. They immediately invalidated passwords of all LinkedIn accounts that were created prior to the 2012 breach and had not undergone a password reset since the breach.
LinkedIn’s attempts to protect users, however, are extending beyond resetting passwords this time. They are also using automated tools to try and identify (and block) any suspicious activity on specific LinkedIn accounts. The proper authorities have been contacted and LinkedIn is working with law enforcement. They have demanded that anyone making stolen password data available must stop immediately, or face potential legal action.
In their e-mail, the company also shared that they have improved security features since the 2012 breach, which will hopefully prevent another incident like this from happening in the future. As examples, they noted that they use salted hashes to store passwords and offer two-step verification for members who are interested in additional security. LinkedIn also encouraged members to use strong passwords and to change them regularly. If you don’t change your password often enough because you have trouble remembering new passwords, consider using a password manager, which can help you keep all of your passwords organized.
Image courtesy of Flickr user Mark Doliner.