Last week LinkedIn blogged that the email addresses and LinkedIn passwords of more
than 100 million members (reports say 117 million) have been ‘released’, with the source of these credentials confirmed to be the same breach reported in 2012—which at the time reportedly affected ‘only’ 6.5 million users.
The professional social network’s CIO informed in a blog post that they are working to ‘invalidate’ affected users’ passwords, and that affected users would be asked to do a password- reset. He also recommended users to switch on two factor authentication.
The list of email addresses and encrypted LinkedIn passwords is being offered for sale on an underground web store, going for the equivalent of $2,200 in bitcoin currency.
To LinkedIn’s credit, since the 2012 password leak, the company has upped its security practices. Resurfacing in much greater quantity than previously suspected, the 2012 leaked passwords are only hashed (using the SHA-1 algorithm) but not ‘salted’—meaning no random digits were added to the end of the passwords to make them harder to crack. Since then, however, the company handles passwords more carefully, ensuring they are both salted and hashed. Moreover, in 2013 it rolled out two factor authentication—a LinkedIn feature that many users, including yours truly—have not been heretofore aware of when using the site.
Two factor authentication, in fact, could prevent 63% of breaches, according to Verizon’s latest Data Breach Investigations Report. That is why every company should consider it the first line of defense in its Secure the Breach data protection strategy.
With passwords so easily compromised through a plethora of methods—including database-hacking, brute-force attacks and phishing—social networks may want to consider making two-factor authentication the default, rather than the exception. Learn more about Best Practices in Identity Management today!