![]() I think shareholders in major service providers expect this as a mandatory move for damage control. Of course Linkedin does a Barbra Streisand, and ask lawyers to remove the leak from the internet. Oh, and you should read how Troy Hunt verifies data breaches. Oh yes, so do I, but I really try to live by a certain ethics code. The infosec world has a taste for blood, just like most others. The rat race begins comments, expert analysis, sample dump analysis, “who has the complete dump available? anyone? link? Plz?”. Motherboard breaks the news, the complete dump from 2016 seem to be up for sale. Because in my experience even a breach notification won’t make people choose a completely different password. Joseph Bonneau, at the time a PhD student at Cambridge, wrote on his blog “…so we might project that the LinkedIn leak represents closer to 12.5 million users if the password distributions are similar”.īased on this guesstimate alone, I’m curious on how many accounts Linkedin actually initiated password resets for, and I’m curious if they kept any password history at the time to prevent users from reusing old passwords. However 6.5 million users were far from the truth.Īs we know now, it looks like their entire user database at the time were breached. Some of those were mangled, so the real number was a bit lower. That number was actually number of unique unsalted SHA-1 hashes. One of the fascinating things about the breach back in 2012 is that 6.5 million compromised accounts became the official number of compromised users. As far as I remember it wasn’t even peanuts, and only applicable to paid (=premium) account holders. They really should be more prepared, and they should practice often. To the defense of Linkedin: most organisations are not prepared for incidents like this. How long would you expect to wait before your credit card provider notified and cancelled your card after they knew it had been compromised? From my perspective it didn’t look like they were prepared for something like this to happen. I waited days before my password reset email finally came through. ![]() When people logged on to change their password and got news stories about Linkedin being hacked, there was no mandatory or even “For security reasons we encourage you to change your password now”. On the contrary, I was closer to shocked. I was never impressed with the way Linkedin handled the incident. Temporary conclusion at the time: “if you suddenly hit jackpot and got access to millions of accounts but were not prepared for it, how could you possibly abuse as many of them as possible before they get disabled or have their passwords changed?”. However we didn’t see or hear about any high-profile account takeovers. Because people reuse passwords across multiple services. The leak was out, and although it only contained unique SHA-1 hashes (=unique passwords), they could still serve as input for online password guessing against accounts across multiple services. I have to admit that I spoke with Dan Goodin about the leaked data, and something that baffled at least me. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |