2012 LinkedIn hack

LinkedIn hack
	200px LinkedIn leaked out approximately 6.5 million passwords as of June 8, 2012.
Location	Globally
Cause	Hack
Website	www.linkedin.com

Lua error in package.lua at line 80: module 'strict' not found. Lua error in package.lua at line 80: module 'strict' not found.

The social networking website LinkedIn was hacked on 5 June 2012, and passwords for nearly 6.5 million user accounts were stolen by Russian cybercriminals.^[1]^[2] Owners of the hacked accounts were no longer able to access their accounts, and the website repeatedly encouraged its users to change their passwords after the incident.^[3] Vicente Silveira, the director of LinkedIn,^[4] confirmed, on behalf of the company, that the website was hacked in its official blog. He also said that the holders of the compromised accounts would find their passwords were no longer valid on the website.^[5]

The stolen passwords, which were hashed (i.e. just a checksum was stored, allowing testing whether a given password is the correct one), were cracked and posted on a Russian password forum later on that day. By the morning of June 6, passwords for thousands of accounts were available online in plain text. Graham Cluley of the internet security firm Sophos warned that the leaked passwords could be in the possession of criminals by 6 June.^[6] LinkedIn said, in an official statement, that they would email all its members with security instructions and instructions on how they could reset their passwords.^[7]

In May of 2016, LinkedIn discovered an additional 100 million email addresses and hashed passwords that claimed to be additional data from the same 2012 breach. In response, LinkedIn invalidated the passwords of all users that had not changed their passwords since 2012.^[8]

Reaction by communities and users

Rep. Mary Bono Mack of the United States Congress commented on the incident, "How many times is this going to happen before Congress finally wakes up and takes action? This latest incident once again brings into sharp focus the need to pass data protection legislation." Senator Patrick Leahy said, "Reports of another major data breach should give pause to American consumers who, now more than ever, share sensitive personal information in their online transactions and networking ... Congress should make comprehensive data privacy and cybercrime legislation a top priority."^[9]^[10] Marcus Carey, a security researcher for Rapid7, said that the hackers had penetrated the databases of LinkedIn in the preceding days.^[11] He expressed concerns that they may have had access to the website even after the attack. Michael Aronowitz, Vice President of Saveology said, "Everyday hundreds of sites are hacked and personal information is obtained. Stealing login information from one account can easily be used to access other accounts, which can hold personal and financial information." Security experts indicated that the stolen passwords were encrypted in a way that was fairly easy to decrypt, which was one of the reasons for the data breach.^[12] Katie Szpyrka, a long time user of LinkedIn from Illinois, USA, filed a $5 million lawsuit against LinkedIn, complaining that the company did not keep their promises to secure connections and databases. Erin O’Harra, a spokeswoman working for LinkedIn, when asked about the lawsuit, said that lawyers were looking to take advantage of that situation to again propose the bills SOPA and PIPA in the United States Congress.^[13] An amended complaint was filed on Nov. 26, 2012 on behalf of Szpyrka and another premium LinkedIn user from Virginia, USA, named Khalilah Gilmore–Wright, as class representatives for all LinkedIn users who were affected by the breach.^[14] The lawsuit sought injunctive and other equitable relief, as well as restitution and damages for the plaintiffs and members of the class.^[14]

Response from LinkedIn

LinkedIn apologized immediately after the data breach, and asked its users to immediately change their passwords.^[1] The Federal Bureau of Investigation assisted the LinkedIn Corporation in investigating the theft. As of 8 June 2012, the investigation was still in its early stages, and the company said it was unable to determine whether the hackers were also able to steal the email addresses associated with the compromised user accounts as well.^[15] LinkedIn said that the users whose passwords are compromised would be unable to access to their LinkedIn accounts using their old passwords.^[16]

Controversy

Internet security experts said that the passwords were easy to unscramble because of LinkedIn's failure to use a salt when hashing them, which is considered an insecure practice because it allows attackers to quickly reverse the scrambling process using existing standard rainbow tables, pre-made lists of matching scrambled and unscrambled passwords.^[17] Another issue that sparked controversy was the iOS app provided by LinkedIn, which grabs personal names, emails, and notes from a mobile calendar without the user's approval.^[18] Security experts working for Skycure Security said that the application collects a user's personal data and sends it to the LinkedIn server. LinkedIn claimed the permission for this feature is user-granted, and the information is sent securely using the Secure Sockets Layer (SSL) protocol. The company added that it had never stored or shared that information with a third party.^[19]

References

Cite error: Invalid <references> tag; parameter "group" is allowed only.

Use <references />, or <references group="..." />

↑ ^1.0 ^1.1 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^14.0 ^14.1 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.

[officialnotice-1] 1.0 ^1.1 Lua error in package.lua at line 80: module 'strict' not found.

[2] Lua error in package.lua at line 80: module 'strict' not found.

[3] Lua error in package.lua at line 80: module 'strict' not found.

[4] Lua error in package.lua at line 80: module 'strict' not found.

[5] Lua error in package.lua at line 80: module 'strict' not found.

[dm1-6] Lua error in package.lua at line 80: module 'strict' not found.

[7] Lua error in package.lua at line 80: module 'strict' not found.

[2016-more-data-8] Lua error in package.lua at line 80: module 'strict' not found.

[9] Lua error in package.lua at line 80: module 'strict' not found.

[10] Lua error in package.lua at line 80: module 'strict' not found.

[11] Lua error in package.lua at line 80: module 'strict' not found.

[12] Lua error in package.lua at line 80: module 'strict' not found.

[13] Lua error in package.lua at line 80: module 'strict' not found.

[PCworld.com-14] 14.0 ^14.1 Lua error in package.lua at line 80: module 'strict' not found.

[15] Lua error in package.lua at line 80: module 'strict' not found.

[16] Lua error in package.lua at line 80: module 'strict' not found.

[17] Lua error in package.lua at line 80: module 'strict' not found.

[18] Lua error in package.lua at line 80: module 'strict' not found.

[19] Lua error in package.lua at line 80: module 'strict' not found.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

v t e Hacking in the 2010s
Major incidents	Operation Aurora (2010) Australian cyberattacks (2010) Operation Payback (2010) HBGary Federal (2011) DigiNotar (2011) Operation Tunisia (2011) 2011 PlayStation Network outage (2011) Operation AntiSec (2011) Stratfor email leak (2012–13) LinkedIn hack (2012) South Korea cyberattack (2013) Snapchat hack (2013) Operation Tovar (2014) iCloud leaks of celebrity photos (2014) Sony Pictures Entertainment hack (2014) Office of Personnel Management data breach (2015) Hacking Team (2015) Ashley Madison data breach (2015) VTech data breach (2015) Bangladesh Bank heist (2016) Commission on Elections data breach (2016)
Groups	Anonymous associated events CyberBerkut Bureau 121 Derp GNAA Goatse Security Hacking Team Iranian Cyber Army Lizard Squad LulzRaft LulzSec NullCrew PayPal 14 PLA Unit 61398 RedHack Syrian Electronic Army TeaMp0isoN Tailored Access Operations UGNazi Yemen Cyber Army
Individuals	George Hotz Guccifer Hector Monsegur Jeremy Hammond Junaid Hussain Kristoffer von Hassel Mustafa Al-Bassam Ryan Ackroyd Topiary The Jester weev
Vulnerabilities discovered	Heartbleed (2014) Shellshock (2014) POODLE (2014) JASBUG (2015) Stagefright (2015) DROWN (2016) Badlock (2016)
Malware	Careto / The Mask CryptoLocker Dexter Duqu FinFisher Flame Gameover ZeuS Mahdi Metulji botnet NSA ANT catalog R2D2 (trojan) Shamoon Stars virus Stuxnet

2012 LinkedIn hack

Contents

Reaction by communities and users

Response from LinkedIn

Controversy

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools