Four years ago, LinkedIn suffered a massive security breach potentially affecting millions of its users. But after the company advised them to change their passwords, the episode was all but forgotten. Until now.
For anyone who didn’t get LinkedIn’s memo in 2012 and has continued using the same password years later—a security faux pas unto itself—now would be a good time to take the company’s advice.
“Humans are inherently bad at making passwords and continue to reuse passwords despite the obvious risks.”
According to a Motherboard report published Wednesday, the stolen passwords have resurfaced on a Dark Net marketplace, where they may be purchased at any moment for a mere 5 bitcoins (roughly $2,200).
What’s more, the total number of accounts affected by the breach appears to have been greatly underreported. According to Motherboard’s sources, there are 167 million accounts detailed in the hacked database; around 117 million of those allegedly contain both emails and encrypted passwords. (LinkedIn stored the passwords using an outmoded, yet unfortunately common cryptographic algorithm that was broken by Chinese engineers nearly a decade ago.)
Ninety percent of the passwords were cracked within 72 hours, LeakedSource, a paid hacked-data search engine, told Motherboard. The news site contacted one user who confirmed their LinkedIn account and said the password recovered by the hackers was authentic.
As online services have become more of a utility and less of an extravagance in the 21st century, it has become increasingly difficult for Internet users to devise and memorize unique passwords for each of the dozens, if not hundreds, of websites they visit. Actually remembering to change this multitude of passwords on a routine basis is just as difficult.
By no coincidence, the LinkedIn users most at risk are those who used the same password on LinkedIn as they did for their email account. With access to a victim’s email, a malicious hacker could potentially reset dozens of passwords tied to the account, effectively taking over a person’s identity online, and in doing so gain access to delicate personal and financial information.
Compounding the issue, the most secure passwords—those that are less vulnerable to simple password-cracking attacks—continue to be unpronounceable strings of seemingly random letters, numbers, and special characters.
For this reason, many security experts recommend the use of a secure password manager, such as LastPass or 1Password, which generates and stores lengthy, complex passwords so users don’t have to. In December 2014, LastPass rolled out a feature that allows users to automatically update passwords with a single click. The feature currently supports 75 major websites, including LinkedIn, Facebook, Twitter, and Amazon.
“Humans are inherently bad at making passwords and continue to reuse passwords despite the obvious risks,” Joe Siegrist, vice president and general manager of LastPass, told the Daily Dot on Wednesday. “Using unique passwords for all your online accounts ensures that if they’re leaked in a breach like this one, they can’t be used by hackers to get into any of your other accounts. If you’re not doing this, you’re doing it wrong.”
Correction: Motherboard published its report on Wednesday.