- Bella Thorne comes out as pansexual 3 Years Ago
- Macy’s pulls portion-control plates after social media uproar 3 Years Ago
- John Oliver confirms the internet’s suspicions about that ‘Lion King’ cast photo Today 2:14 PM
- Report: Fake Libra accounts rampant on Facebook, Instagram Today 2:10 PM
- Tennessee neighbors form human chain to help father and son escape ICE Today 1:57 PM
- Google settled two multi-million dollar lawsuits this week Today 1:26 PM
- How to live stream Guadalajara vs. Atletico Madrid Today 12:47 PM
- Forget Area 51—People are planning to storm the Bermuda Triangle Today 12:41 PM
- It’s too late to book a room for the Area 51 raid Today 12:28 PM
- Adam Sandler’s next Netflix film is a star-studded Halloween comedy Today 12:17 PM
- How to live stream Arsenal vs. Real Madrid Today 12:06 PM
- Netflix’s ‘7SEEDS’ is an abominable adaptation of the original manga Today 11:59 AM
- Alinity Divine hasn’t been punished for throwing her cat—and people are livid Today 10:16 AM
- Gamer Krucial B passes away during Defend the North tournament Today 9:25 AM
- Brexit supporter Boris Johnson becomes prime minister—spawning lots of memes Today 9:16 AM
Go change your old LinkedIn password right now—it might be for sale
A four-year-old hack is back from the dead.
Four years ago, LinkedIn suffered a massive security breach potentially affecting millions of its users. But after the company advised them to change their passwords, the episode was all but forgotten. Until now.
For anyone who didn’t get LinkedIn’s memo in 2012 and has continued using the same password years later—a security faux pas unto itself—now would be a good time to take the company’s advice.
“Humans are inherently bad at making passwords and continue to reuse passwords despite the obvious risks.”
According to a Motherboard report published Wednesday, the stolen passwords have resurfaced on a Dark Net marketplace, where they may be purchased at any moment for a mere 5 bitcoins (roughly $2,200).
What’s more, the total number of accounts affected by the breach appears to have been greatly underreported. According to Motherboard’s sources, there are 167 million accounts detailed in the hacked database; around 117 million of those allegedly contain both emails and encrypted passwords. (LinkedIn stored the passwords using an outmoded, yet unfortunately common cryptographic algorithm that was broken by Chinese engineers nearly a decade ago.)
Ninety percent of the passwords were cracked within 72 hours, LeakedSource, a paid hacked-data search engine, told Motherboard. The news site contacted one user who confirmed their LinkedIn account and said the password recovered by the hackers was authentic.
As online services have become more of a utility and less of an extravagance in the 21st century, it has become increasingly difficult for Internet users to devise and memorize unique passwords for each of the dozens, if not hundreds, of websites they visit. Actually remembering to change this multitude of passwords on a routine basis is just as difficult.
By no coincidence, the LinkedIn users most at risk are those who used the same password on LinkedIn as they did for their email account. With access to a victim’s email, a malicious hacker could potentially reset dozens of passwords tied to the account, effectively taking over a person’s identity online, and in doing so gain access to delicate personal and financial information.
Compounding the issue, the most secure passwords—those that are less vulnerable to simple password-cracking attacks—continue to be unpronounceable strings of seemingly random letters, numbers, and special characters.
For this reason, many security experts recommend the use of a secure password manager, such as LastPass or 1Password, which generates and stores lengthy, complex passwords so users don’t have to. In December 2014, LastPass rolled out a feature that allows users to automatically update passwords with a single click. The feature currently supports 75 major websites, including LinkedIn, Facebook, Twitter, and Amazon.
“Humans are inherently bad at making passwords and continue to reuse passwords despite the obvious risks,” Joe Siegrist, vice president and general manager of LastPass, told the Daily Dot on Wednesday. “Using unique passwords for all your online accounts ensures that if they’re leaked in a breach like this one, they can’t be used by hackers to get into any of your other accounts. If you’re not doing this, you’re doing it wrong.”
Correction: Motherboard published its report on Wednesday.
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.