Welcome to WebmasterWorld Guest from 54.196.42.8

Forum Moderators: buckworks & not2easy

Message Too Old, No Replies

117 million LinkedIn Account Emails and Passwords Leaked Online

     
4:14 pm on May 18, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25472
votes: 743


According to the data sample, although the passwords are encrypted, the hackers claim to have cracked a significant number of the 117 million passwords in only 72 hours.

LinkedIn says that the original hack in 2012 was for a much smaller number of passwords, and it dealt with that back then with a mandatory password reset for the accounts it believed were impacted. Although this new issue is not a new hack as there is no evidence of that, according to LinkedIn, the data set being offered is now a much larger number of accounts.

Don't wait for LinkedIn to contact you - go and change your password now!

We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach. 117 million LinkedIn Account Emails and Passwords Leaked Online [blog.linkedin.com]
12:52 am on May 19, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member jab_creations is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 26, 2004
posts:3178
votes: 22


Want to make your salt and pepper (you're using two strings, riiiiiight?) more effective when encoding passwords? Serve your site as XHTML5 (application/xhtml+xml) and when PHP's htmlspecialchars() function doesn't cut it get the hex code, determine the character used and ad it to your salt-and-pepper encoding of passwords. It's not difficult to wildly complicate the crap out of a hash encoding... think about it, how many times a day do people in real life over-complicate the crap out of something simple? This is when you're actually supposed to be abusive, enjoy it for once people!

John
3:55 am on May 19, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14769
votes: 445


Insisting on good security is a poor user experience?
I did a site audit for a company and noticed their password requirements were weak. They balked at requiring difficult to guess passwords and a minimum number of characters because they felt it was a poor user experience.

This had nothing to do with SEO but I felt it merited mentioning since getting hacked could be catastrophic to a business.
4:40 am on May 19, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts:15095
votes: 146


This is a pretty old breach. Hopefully people whose data was taken have done some routine password maintenance since 2012...
12:48 pm on May 19, 2016 (gmt 0)

Preferred Member

5+ Year Member

joined:Jan 6, 2011
posts:485
votes: 8


Nice, maybe I can find my pw now
1:20 pm on May 19, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25472
votes: 743


The breach goes back to 2012, and it was thought that a much smaller number was stolen. However, this indicates it was a much bigger breach than first thought.

It's not just the fact that the same passwords may be used on others sites, but an e-mail address can give thieves pointers to other services, and, of course, help towards identity theft.
5:47 pm on May 19, 2016 (gmt 0)

Full Member

joined:July 23, 2015
posts: 254
votes: 76


>> @JAB Creations how many times a day do people in real life over-complicate the crap out of something simple? This is when you're actually supposed to be abusive, enjoy it for once people!

No. Don;t do it, people. If you are NOT A BANK (of for god's sake, a .gov), don't overcomplicate passwords.

Making someone type lower/upper, two numbers and a symbol, and making someone change a password every month --- right there is a DEATH to your business. Nobody is going to remember your complicated passwords. Are you sure your business is THAT important?

>> @martinibuster: Insisting on good security is a poor user experience?

Yes, it is. If you are not a bank and don't store credit cards, extreme security is a kiss of death.

I have now to remember over 150 passwords. Have been doing business online for a lo-o-o-ong time. It is IMPOSSIBLE to remember 10, let alone 150. Now, try to remember which one's which and how each webmaster decided to restrict it.

Basically by now everyone should assume their email and passwords are wide open out there to be stolen. So use multiple. Use your private email and a strong password for financial info. Use throw-away, chit-chat email and whatever for everything else.

But for god's sake, dear webmasters, don't over-complicate passwords.
6:56 pm on May 19, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14769
votes: 445


Yes, it is. If you are not a bank and don't store credit cards, extreme security is a kiss of death.


Agreed! This was for a company for which credit cards and security were essential.
7:42 pm on May 19, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15028
votes: 665


a company for which credit cards and security were essential

I thought we were talking about LinkedIn? They sent the same mass mailing to everyone, including the people on free accounts that sure as ### never gave them any credit-card information.

I couldn't remember my LI password, and had to consult the Keychain, which managed to have four separate LinkedIn entries over the years. (I deleted them all, to avoid confusing myself in the future.) Surely That Other Platform has an equivalent storage system?
2:45 am on May 20, 2016 (gmt 0)

Senior Member

joined:July 29, 2007
posts:1780
votes: 100


Forget going to change your linked-in password if you rarely use the service, the safer thing to do is close the account. If you insist on keeping it then make it an incredibly difficult one such as the salt key for a wordpress installation. You know where that salt is within your files and can copy paste it from there + you can make a mental note to change, say, the 4th character to a 6 after you paste it. Good luck cracking that even with a robust system.

2Wla{0(.h%mWk87",!m@Bj$bP-)=,Rm3&n^4 <---- much better than 'crackthis' or some such.

Just don't ever store the password in a built in password protector, crooks know to look there.
5:22 am on May 20, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15028
votes: 665


crooks know to look there

If someone breaks into my house, physically removes my computer and brings it to someone with the savvy to extract its administrator password,* I think my LinkedIn password will be pretty far down on my list of worries. But then, the only reason I've got a LI account at all is that you don't decline an invite from your 80-year-old father. Never use it for anything.


* In this neck of the woods, crooks aren't of a caliber to know how to do both.
6:23 am on May 20, 2016 (gmt 0)

Full Member

joined:Nov 5, 2013
posts:216
votes: 21


Linked in made me change my password today...sounds legit.
8:46 am on May 20, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25472
votes: 743


I have now to remember over 150 passwords.

Why try? If you have that many passwords you can use a system, such as KeePass, to do it for you.

Yes, it's LinkedIn, but, don't miss the point that identity theft is worth a great deal, even if that includes an e-mail. Identity thieves are persistent, and know what to look for to build a profile, and they will find the weakest link. It's a complicated crime, with high rewards, but it can be done without physically breaking into anyone's property. It can be done from their bedroom.

Webmasters have a duty to protect their user's data, but it's often the user that can make it easier for the thieves with weak passwords.
6:36 pm on May 20, 2016 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8616
votes: 266


>>such as KeePass

- Get a password manager
- use a complex password and two-factor authentication with it
- use it to generate long, random passwords
- never use the same password twice

That's just the basics for 2016. If everyone did just that, though, it would make these breaches way less serious.

Where the breach becomes a problem is when you use your LinkedIn password as your email password and they get in there and then start doing password resets for your bank account, which they now intercept and so on and so on.
7:45 pm on May 21, 2016 (gmt 0)

Junior Member from US 

5+ Year Member

joined:Dec 23, 2008
posts:157
votes: 5


What was strange to me was that LI sent the "change your password"
message to my LI account email addy AND to 4 _other_ email addy's
I have! At first that made it look a lot like a spam run.
They had no business knowing of or using those.
Jonesy
7:04 pm on May 22, 2016 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8616
votes: 266


They constantly ask you if you want to connect this or that address book. If you've ever done that, they know that account and possibly your other accounts if they're linked... in... so to speak
4:49 pm on May 23, 2016 (gmt 0)

Junior Member from US 

5+ Year Member

joined:Dec 23, 2008
posts:157
votes: 5


True about that. But, I have NEVER rolled over and exposed my addressbook to
them. I do my email with alpine on a FreeBSD VPS -- using a wildcard email account.
However, a few "friends" have obviously done that as I have received invitations
to 'connect' on email addy's that are NEVER used with LinkedIn.
I'm sure it would be an easy task for LI to associate those email addys with my
account email, and that is probably what has happened. sigh...

typo correction due to sticky "T" key...
4:53 pm on May 23, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25472
votes: 743


Jonesy, it could be a mobile version of LI that has connected those. It's one reason I dumped LI from my phone. I hate it when apps do that and automatically connect accounts and contacts! It takes ages, or is impossible trying to unravel it again.
6:17 pm on May 23, 2016 (gmt 0)

Full Member

joined:July 23, 2015
posts: 254
votes: 76


@engine: Why try? If you have that many passwords you can use a system, such as KeePass, to do it for you.

I am using one, won't tell which one. It's inconvenient in regard that once you use it for a few months, you start forgetting passwords and stop being able to login yourself.

>> @ergophobe: Get a password manager use a complex password and two-factor authentication with it . use it to generate long, random passwords ... That's just the basics for 2016

Are you going to be using your one computer forever? What about: mobile, desktop, 5 laptops, office PCs, friend computers etc.etc. are you going to login to some remote password manager there? What about you PC crash and die , what's your contingency plan.

If you generate random encrypted passwords, I can guarantee you are going to lose access to some places. You are lucky if it isn't your strong password generator and email.

>> @Jonesy: I have NEVER rolled over and exposed my address book to them

Pleeease, folks. It's 2016. They can find ways to get to your address book. They can buy that, it can be stolen by a hack , virus or adware , or some "social" "plugin". etc.etc. If you have more than 3 friends you are in one of their social databases.

I have seen hackers trying to break into my server via dictionary attack using one of my throw-away passwords. I know they know it is mine, there's just no other way. So these "social" sites not only just leaked emails, they leak connections as well.
6:27 pm on May 23, 2016 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8616
votes: 266


smilie - I'm definitely not going to answer those questions in a public forum, but all those problems are solvable and none of those worry me. And yes, I can get and have gotten locked out temporarily until able to go to my fallback. So I couldn't get into my email for a few hours. Big deal.

Is there inconvenience? Yep
Is it bombproof? Nope
If someone really wanted to hack me, could he? No doubt

My feeling is that it's like a gazelle on the Serengeti. You don't have to be fastest gazelle in the herd, you just have to be faster than the slowest ones. But sometimes the lion appears at just the right time and place to catch and eat the fastest gazelle in the herd.

I don't go crazy over the top in a way that causes huge inconvenience, but I try not to be the easiest catch in the herd.
8:25 am on May 24, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts:15095
votes: 146


Are you going to be using your one computer forever? What about: mobile, desktop, 5 laptops, office PCs, friend computers etc.etc. are you going to login to some remote password manager there? What about you PC crash and die , what's your contingency plan.

There are fairly secure ways could remotely access or backup password stores. These days it's probably more secure not to know most of your own passwords.
4:45 pm on May 24, 2016 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8616
votes: 266


more secure not to know most of your own passwords.


The password always was and always will be a terrible means of authentication. It has long been a goal in security circles to find a way to turn back the clock and start over in a world without passwords. The problem is, especially in the case of weak passwords, it is convenient.

The stated goal (can't find the reference, but read this in the last week) that Intel has which motivates their True Key password manager is a three-step process

1. Get people to use a password manager
2. Once doing that, there is no advantage to a weak over strong password, so the next step is to get people to use long, complex, random passwords
3. Once they don't know and don't interact with the actual passwords, there is no advantage of passwords over other forms of authentication and you can actually rethink security intelligently.

But the first step is getting people to use a password manager.

True Key is supposedly aimed at the "app" problem where many password managers fail (i.e. authenticating you within applications other than browsers so you can truly manage all passwords).

True Key itself lets you sign in with facial recognition or fingerprint. Modern facial recognition systems require you to move around or make facial gestures so that someone can't present a high-res photo or, in a very highstakes world, cut off your head.
4:50 pm on May 24, 2016 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8616
votes: 266


This doesn't lay out the plan as outlined above, but here's an official Intel statement

"Our goal is the elimination of passwords altogether," says Mark Hocking, a vice president with Intel Security.
-- [usatoday.com...]