Oh, and you should read how Troy Hunt verifies data breaches. Oh yes, so do I, but I really try to live by a certain ethics code. The infosec world has a taste for blood, just like most others. The rat race begins comments, expert analysis, sample dump analysis, “who has the complete dump available? anyone? link? Plz?”. Motherboard breaks the news, the complete dump from 2016 seem to be up for sale.
Because in my experience even a breach notification won’t make people choose a completely different password.
Linkedin data breach ppt password#
Based on this guesstimate alone, I’m curious on how many accounts Linkedin actually initiated password resets for, and I’m curious if they kept any password history at the time to prevent users from reusing old passwords. Joseph Bonneau, at the time a PhD student at Cambridge, wrote on their blog “…s o we might project that the LinkedIn leak represents closer to 12.5 M users if the password distributions are similar“. As we know now, it looks like their entire user database at the time were breached. However 6.5 million users were far from the truth. Some of those were mangled, so the real number was a bit lower. That number was actually number of unique unsalted SHA-1 hashes. One of the fascinating things about the breach back in 2012 is that 6.5 million compromised accounts became the official number of compromised users. As far as I remember it wasn’t even peanuts, and only applicable to paid (=premium) account holders. They really should be more prepared, and they should practice often. To the defense of Linkedin: most organisations are not prepared for incidents like this. How long would you expect to wait before your credit card provider notified and cancelled your card after they knew it had been compromised? From my perspective it didn’t look like they were prepared for something like this to happen. I waited days before my password reset email finally came through. When people logged on to change their password and got news stories about Linkedin being hacked, there was no mandatory or even “For security reasons we encourage you to change your password now”. On the contrary, I was closer to shocked.
I was never impressed with the way Linkedin handled the incident. Temporary conclusion at the time: “if you suddenly hit jackpot and got access to millions of accounts but were not prepared for it, how could you possibly abuse as many of them as possible before they get disabled or have their passwords changed?”. However we didn’t see or hear about any high-profile account takeovers. Because people reuse passwords across multiple services. Where did all the hackers go? The leak was out, and although it only contained unique SHA-1 hashes (=unique passwords), they could still serve as input for online password guessing against accounts across multiple services. I have to admit that I spoke with Dan Goodin the leaked data, and something that baffled at least me.
To close it off, Jeremi Gosney ( wrote The Final Word on the LinkedIn Leak. As part of my ongoing research into passwords, the Linkedin data showed us quite a few interesting fact about colors in passwords (from my old blog). The story made the news, and the story went global. I became the guy who managed to confirm the “6.5 million users” leak was real, after finding a reliable source who confirmed his/her recently updated random Linkedin password in the SHA-1 hashes in the dump. Korelogic ( was the first to report something was going on. I actually thought that was sort of left to the history books now, with no additional news or stories to tell. Posted as LinkedIn’s poor handling of 2012 data breach comes back to haunt them to Graham Cluley’s blog.
0 kommentar(er)
