Wednesday, May 18, 2016

Rumor mill: LinkedIn password breach

Update May 18 10:00 CDT: LinkedIn has confirmed that the password dump is real, but that it originated from the 2012 data breach. The social media site is notifying affected users and requiring a password change for anyone who had an account in 2012, and has not changed their password since.

 The rumor mill has it that some 170 million LinkedIn username and passwords are available on the black market, offered for sale to anyone willing to pay the equivalent of a few thousand dollars US.

 Several investigators that I trust have suggested it is likely true - but also likely old news. LinkedIn confirmed a data breach in 2012 involving usernames and passwords, though on a much smaller scale. The most reliable sources I have suggest that these 170 million passwords are in fact from the 2012 breach.

 If you haven't changed your LinkedIn password since 2012, do so now. We know there was a confirmed breach at that time. 

 Even if you have changed your password since then, it can't hurt to change it again. It takes about 30 seconds, and it renders the rumored password dump useless against you, whether or not it contains your actual password. LinkedIn provides simple instructions for changing your password.

 As an additional step, consider enabling multifactor authentication for your LinkedIn account. With multifactor authentication enabled, you add your phone number to your LinkedIn account. LinkedIn will send a one-time-use code to you via SMS (text message) anytime a login request comes from a device you have not logged in from before. As I have written before, phone-based multifactor is possible to defeat - but it is far stronger than just a password.

 Your LinkedIn profile is an extension of your professional identity; a stolen password could allow someone to embarrass you. Possibly worse, with access to your LinkedIn account, an attacker could reach out to your connections to abuse their trust in you. Your connections would assume the attacker was in fact you. For that reason, social media accounts should be well protected.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Posted by at 0 Comments
Tags: , , , , , ,
Apple Versus FBI - What does it really mean?

I have avoided weighing in on the FBI versus Apple fray thus far. While I have an opinion, there are people smarter than me, ...

Lame social engineering attempt I received this morning

Why not just be up front and say “Tell me everything about you so I can steal your identity?"  A refreshing break from ...

In the wake of a disaster, be alert for relief scams

Updated 2016 October 7: As Hurricane Matthew makes its way up the US East Coast, I've updated this post with advice ...

Someone's watching the baby, and it isn't you

"A greyscale image of a webcam," by Asim Saleen, used under license CC BY-SA 3.0 It seems like a scene out ...

Securing a home network with the RT-AC87 wireless router

Let's say you want a wireless network in your home or small office. Maybe it's a new home, or maybe you're upg ...

YOU MAY ALSO LIKE