LinkedIn Grapples with the Ripples of a 2012 Data Breach

Pillsbury - Internet & Social Media Law Blog
Contact

Last week on the official LinkedIn blog, the company’s chief information security officer, Cory Scott, reported the company had become aware of an additional set of data that has just been released consisting of e-mail and hashed password combinations of more than 100 million LinkedIn members. This recent release is related to a 2012 unauthorized access and disclosure of LinkedIn members’ passwords:

Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach. –Linkedin Official Blog, May 18, 2016

In response to the breach, LinkedIn invalidated passwords for accounts created prior to the 2012 breach whose owners had not updated their passwords since the 2012 breach, and they also began letting individual members know if they needed to reset their passwords. The notices included the following instructions (received on May 19):

LinkedIn message

Originally, LinkedIn suspected that 6.5 million encrypted passwords were stolen, but it now seems that number may have been as high as 160 million e-mail and password combinations.

In his blog post, Cory Scott noted that LinkedIn has been “salting” or appending random data to passwords before they are encrypted to make them less decryptable/breakable for several years (probably since the 2012 theft). Specifically, salting is primarily used to defend against dictionary attacks, in which a cybercriminal tries to determine a decryption key by trying multiple passwords that are more likely to succeed (e.g., list of words from a dictionary).

After the 2012 attack, LinkedIn worked with the FBI to investigate the password theft. In thinking about theft-of-password situations, it is important to remember that they are theft, and that law enforcement agencies like the FBI can be brought in to assist in investigating theft of electronic assets, which includes users’ passwords.

This latest resurfacing of an older breach should serve both as reminder and example. It’s a reminder that the size of a data breach is seldom known immediately, and that the ramifications for a company—just in terms of account security—can linger for years. It is also an example of the importance of continual evaluation and action by any company whose passwords have been compromised. Even after new security measures are in place, there may still be a need to address issues created from a breach years earlier.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury - Internet & Social Media Law Blog | Attorney Advertising

Written by:

Pillsbury - Internet & Social Media Law Blog
Contact
more
less

Pillsbury - Internet & Social Media Law Blog on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.