2012 LinkedIn hack

Last updated

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.

Contents

Owners of the hacked accounts were unable to access their accounts. LinkedIn said, in an official statement, that they would email members with instructions on how they could reset their passwords. In May 2016, LinkedIn discovered an additional 100 million email addresses and passwords that had been compromised from the same 2012 breach.

History

The hack

The social networking website LinkedIn was hacked on June 5, 2012, and passwords for nearly 6.5 million user accounts were stolen by Russian cybercriminals. [1] [2] Owners of the hacked accounts were no longer able to access their accounts, and the website repeatedly encouraged its users to change their passwords after the incident. [3] Vicente Silveira, the director of LinkedIn, [4] confirmed, on behalf of the company, that the website was hacked in its official blog. He also said that the holders of the compromised accounts would find their passwords were no longer valid on the website. [5]

In May 2016, LinkedIn discovered an additional 100 million email addresses and hashed passwords that claimed to be additional data from the same 2012 breach. In response, LinkedIn invalidated the passwords of all users that had not changed their passwords since 2012. [6]

Leak

A collection containing data about more than 700 million users, believed to have been scraped from LinkedIn, was leaked online in September, 2021 in form of a torrent file after hackers previously tried to sell it earlier in June, 2021. [7]

Reaction

Internet security experts said that the passwords were easy to unscramble because of LinkedIn's failure to use a salt when hashing them, which is considered an insecure practice because it allows attackers to quickly reverse the scrambling process using existing standard rainbow tables, pre-made lists of matching scrambled and unscrambled passwords. [8] Another issue that sparked controversy was the iOS app provided by LinkedIn, which grabs personal names, emails, and notes from a mobile calendar without the user's approval. [9] Security experts working for Skycure Security said that the application collects a user's personal data and sends it to the LinkedIn server. LinkedIn claimed the permission for this feature is user-granted, and the information is sent securely using the Secure Sockets Layer (SSL) protocol. The company added that it had never stored or shared that information with a third party. [10] [11]

Rep. Mary Bono Mack of the United States Congress commented on the incident, "How many times is this going to happen before Congress finally wakes up and takes action? This latest incident once again brings into sharp focus the need to pass data protection legislation." Senator Patrick Leahy said, "Reports of another major data breach should give pause to American consumers who, now more than ever, share sensitive personal information in their online transactions and networking ... Congress should make comprehensive data privacy and cybercrime legislation a top priority." [12] [13]

Marcus Carey, a security researcher for Rapid7, said that the hackers had penetrated the databases of LinkedIn in the preceding days. [14] He expressed concerns that they may have had access to the website even after the attack.

Michael Aronowitz, Vice President of Saveology said, "Everyday hundreds of sites are hacked and personal information is obtained. Stealing login information from one account can easily be used to access other accounts, which can hold personal and financial information." Security experts indicated that the stolen passwords were encrypted in a way that was fairly easy to decrypt, which was one of the reasons for the data breach. [15]

Katie Szpyrka, a long time user of LinkedIn from Illinois, United States, filed a $5 million lawsuit against LinkedIn, complaining that the company did not keep their promises to secure connections and databases. Erin O’Harra, a spokeswoman working for LinkedIn, when asked about the lawsuit, said that lawyers were looking to take advantage of that situation to again propose the bills SOPA and PIPA in the United States Congress. [16]

An amended complaint was filed on Nov. 26, 2012 on behalf of Szpyrka and another premium LinkedIn user from Virginia, United States, named Khalilah Gilmore–Wright, as class representatives for all LinkedIn users who were affected by the breach. [17] The lawsuit sought injunctive and other equitable relief, as well as restitution and damages for the plaintiffs and members of the class. [17]

Response from LinkedIn

LinkedIn apologized immediately after the data breach and asked its users to immediately change their passwords. [1] The Federal Bureau of Investigation assisted the LinkedIn Corporation in investigating the theft. As of 8 June 2012, the investigation was still in its early stages, and the company said it was unable to determine whether the hackers were also able to steal the email addresses associated with the compromised user accounts as well. [18] LinkedIn said that the users whose passwords are compromised would be unable to access their LinkedIn accounts using their old passwords. [19]

Arrest and conviction of suspect

On October 5, 2016, Russian hacker Yevgeniy Nikulin was detained by Czech police in Prague. The United States had requested an Interpol warrant for him. [20]

A United States grand jury indicted Nikulin and three unnamed co-conspirators on charges of aggravated identity theft and computer intrusion. Prosecutors alleged that Nikulin stole a LinkedIn employee's username and password, using them to gain access to the corporation's network. Nikulin was also accused of hacking into Dropbox and Formspring, allegedly conspiring to sell stolen Formspring customer data, including usernames, e-mail addresses, and passwords. [21]

Nikulin was convicted and sentenced to 88 months of imprisonment. [22]

Related Research Articles

RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

<span class="mw-page-title-main">Data breach</span> Intentional or unintentional release of secure information

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

LastPass is a password manager application owned by GoTo. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.

The 2011 PlayStation Network outage was the result of an "external intrusion" on Sony's PlayStation Network and Qriocity services, in which personal details from approximately 77 million accounts were compromised and prevented users of PlayStation 3 and PlayStation Portable consoles from accessing the service. The attack occurred between April 17 and April 19, 2011, forcing Sony to deactivate the PlayStation Network servers on April 20. On May 4, Sony confirmed that personally identifiable information from each of the 77 million accounts had been exposed. The outage lasted 23 days.

<span class="mw-page-title-main">LulzSec</span> Hacker group

LulzSec was a black hat computer hacking group that claimed responsibility for several high profile attacks, including the compromise of user accounts from PlayStation Network in 2011. The group also claimed responsibility for taking the CIA website offline. Some security professionals have commented that LulzSec has drawn attention to insecure systems and the dangers of password reuse. It has gained attention due to its high profile targets and the sarcastic messages it has posted in the aftermath of its attacks. One of the founders of LulzSec was computer security specialist Hector Monsegur, who used the online moniker Sabu. He later helped law enforcement track down other members of the organization as part of a plea deal. At least four associates of LulzSec were arrested in March 2012 as part of this investigation. Prior, British authorities had announced the arrests of two teenagers they alleged were LulzSec members, going by the pseudonyms T-flow and Topiary.

Yahoo! Voices, formerly Associated Content, was hacked in July 2012. The hack is supposed to have leaked approximately half a million email addresses and passwords associated with Yahoo! Contributor Network. The suspected hacker group, D33ds, used a method of SQL Injection to penetrate Yahoo! Voice servers. Security experts said that the passwords were not encrypted and the website did not use a HTTPS Protocol, which was one of the major reasons of the data breach. The email addresses and passwords are still available to download in a plaintext file on the hacker's website. The hacker group described the hack as a "wake-up call" for Yahoo! security experts. Joseph Bonneau, a security researcher and a former product analysis manager at Yahoo, said "Yahoo can fairly be criticized in this case for not integrating the Associated Content accounts more quickly into the general Yahoo login system, for which I can tell you that password protection is much stronger."

In July 2015, an unknown person or group calling itself "The Impact Team" announced they had stolen the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The hacker(s) copied personal information about the site's user base and threatened to release users' names and personally identifying information if Ashley Madison would not immediately shut down. As evidence of the seriousness of the threat, the personal information about more than 2,500 users was initially released. The company initially denied that their records were insecure, and continued to operate.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

Alex Holden is the owner of Hold Security, a computer security firm. As of 2015, the firm employs 16 people.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

The Internet service company Yahoo! was subjected to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.

Criticism of Dropbox, an American company specializing in cloud storage and file synchronization and their flagship service of the same name, centers around various forms of security and privacy controversies. Issues include a June 2011 authentication problem that let accounts be accessed for several hours without passwords; a July 2011 privacy policy update with language suggesting Dropbox had ownership of users' data; concerns about Dropbox employee access to users' information; July 2012 email spam with reoccurrence in February 2013; leaked government documents in June 2013 with information that Dropbox was being considered for inclusion in the National Security Agency's PRISM surveillance program; a July 2014 comment from NSA whistleblower Edward Snowden criticizing Dropbox's encryption; the leak of 68 million account passwords on the Internet in August 2016; and a January 2017 accidental data restoration incident where years-old supposedly deleted files reappeared in users' accounts.

<span class="mw-page-title-main">Yevgeniy Nikulin</span> Russian computer hacker

Yevgeniy Alexandrovich Nikulin is a Russian computer hacker. He was arrested in Prague in October 2016, and was charged with the hacking and data theft of several U.S. technology companies. In September 2020, he was sentenced to 88 months in prison.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country.

ShinyHunters is a criminal black-hat hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

<span class="mw-page-title-main">2021 Epik data breach</span> 2021 cybersecurity incident

The Epik data breach occurred in September and October 2021, targeting the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service. More than 15 million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped. The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous. The attackers released an initial 180 gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year. A second release, this time containing bootable disk images, was made on September 29. A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's.

References

  1. 1 2 "An update on the hack". Linkedin. Retrieved June 8, 2012.
  2. "Hackers steal 6.5 million passwords from LinkedIn". Herald Sun. Retrieved June 8, 2012.
  3. "LinkedIn Confirms, Apologizes for Stolen Password Breach". Mashable.com. June 6, 2012. Retrieved June 8, 2012.
  4. "LinkedIn busy to investigate". The Economic Times. June 10, 2012. Retrieved July 20, 2012.
  5. "Update:Linked in confirms it is hacked". Pc world.com. June 6, 2012. Archived from the original on September 14, 2012. Retrieved June 8, 2012.
  6. "Protecting Our Members". LinkedIn. Retrieved May 25, 2016.
  7. "Hackers leak LinkedIn 700 million data scrape". TheRecord.media. September 22, 2021. Retrieved September 25, 2021.
  8. "LinkedIn suffers data breach-security experts". Reuters. June 6, 2012. Archived from the original on November 6, 2014. Retrieved June 8, 2012.
  9. Kingsley-Hughes, Adrian. "LinkedIn ios app grabs names, emails, notes- from your calendar". Forbes.com. Retrieved June 8, 2012.
  10. "LinkedIn iOS app privacy issues concern people". Mashable.com. June 6, 2012. Retrieved June 8, 2012.
  11. Gune, Aditya (2017). "The Cryptographic Implications of the LinkedIn Data Breach". arXiv: 1703.06586 [cs.CR].
  12. "LinkedIn Passwords Leaked... Congress Immediately Wants To 'Do Something!'". Techdirt.com. June 7, 2012. Retrieved June 8, 2012.
  13. Sasso, Brendan (June 6, 2012). "Lawmakers concerned by report that LinkedIn passwords were stolen". Hillicon Valley. Retrieved July 25, 2012.
  14. "Hacker claims to have stolen millions of passwords". The Mercury News . Retrieved June 7, 2012.
  15. "Over 6 million encrypted LinkedIn passwords leaked online" (Press release). Margate, FL: PRWeb . Retrieved April 18, 2013.
  16. "LinkedIn sued for $5 million over hacked passwords". The News Tribe.com. June 21, 2012. Retrieved June 23, 2012.
  17. 1 2 Constantin, Lucian (March 6, 2013). "LinkedIn wins dismissal of lawsuit seeking damages for massive password breach". PC World. IDG News Service . Retrieved April 3, 2012.
  18. "FBI to help LinkedIn". Gadgets.NDTV.com. Retrieved June 8, 2012.
  19. "LinkedIn gets hacked". Fox10TV.com. Retrieved June 8, 2012.
  20. Treshchanin, Dmitry; Shchetko, Nick (October 20, 2016). "Exclusive: Digital Trail Betrays Identity Of Russian 'Hacker' Detained In Prague". RadioFreeEurope/RadioLiberty.
  21. "U.S. Charges Russian Hacker With Stealing LinkedIn Data". RadioFreeEurope/RadioLiberty. October 22, 2016.
  22. Stone, Jeff (September 29, 2020). "LinkedIn hacker Nikulin sentenced to 7 years in prison after years of legal battles". Archived from the original on September 29, 2020. Retrieved November 23, 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.