Wednesday, May 18, 2016

Rumor mill: LinkedIn password breach

Update May 18 10:00 CDT: LinkedIn has confirmed that the password dump is real, but that it originated from the 2012 data breach. The social media site is notifying affected users and requiring a password change for anyone who had an account in 2012, and has not changed their password since.

The rumor mill has it that some 170 million LinkedIn username and passwords are available on the black market, offered for sale to anyone willing to pay the equivalent of a few thousand dollars US.

Several investigators that I trust have suggested it is likely true - but also likely old news. LinkedIn confirmed a data breach in 2012 involving usernames and passwords, though on a much smaller scale. The most reliable sources I have suggest that these 170 million passwords are in fact from the 2012 breach.

If you haven't changed your LinkedIn password since 2012, do so now. We know there was a confirmed breach at that time. 

Even if you have changed your password since then, it can't hurt to change it again. It takes about 30 seconds, and it renders the rumored password dump useless against you, whether or not it contains your actual password. LinkedIn provides simple instructions for changing your password.

As an additional step, consider enabling multifactor authentication for your LinkedIn account. With multifactor authentication enabled, you add your phone number to your LinkedIn account. LinkedIn will send a one-time-use code to you via SMS (text message) anytime a login request comes from a device you have not logged in from before. As I have written before, phone-based multifactor is possible to defeat - but it is far stronger than just a password.

Your LinkedIn profile is an extension of your professional identity; a stolen password could allow someone to embarrass you. Possibly worse, with access to your LinkedIn account, an attacker could reach out to your connections to abuse their trust in you. Your connections would assume the attacker was in fact you. For that reason, social media accounts should be well protected.