In recent years, LinkedIn has suffered multiple high-profile data breaches that exposed the personal information of hundreds of millions of users. These breaches raised serious questions about LinkedIn’s ability to protect user data and privacy. This article will examine the major LinkedIn data breaches, how the breaches occurred, what data was exposed, and the implications for LinkedIn users.
LinkedIn 2012 Data Breach
In 2012, LinkedIn suffered a data breach that impacted over 6.5 million user accounts. This breach occurred after hackers were able to obtain LinkedIn user credentials from an unknown third-party website. Using these credentials, the hackers were able to log in to LinkedIn accounts and extract user email addresses and passwords. At the time, LinkedIn was using a weak hashing algorithm to store passwords, making it easy for hackers to crack the passwords once extracted.
This breach went undetected for over a month before LinkedIn became aware of what had happened. LinkedIn invalidated the compromised passwords and required affected users to reset their passwords. However, the damage was already done – 6.5 million email addresses and passwords were now in the hands of hackers and could be used to access other accounts or sold on the dark web.
Data exposed
- 6.5 million user email addresses and passwords
LinkedIn 2016 Data Breach
In 2016, a much larger LinkedIn breach came to light. This breach, which was believed to have occurred in 2012, resulted in the data of over 164 million LinkedIn accounts being compromised and sold online. The data for sale included email addresses, passwords, and other profile information.
This massive breach was made possible because LinkedIn was storing passwords in plain text, without any kind of encryption or hashing. The database of credentials was put up for sale on the dark web, allowing the buyer to gain access to any of the 164 million accounts. Many security experts criticized LinkedIn for such a massive failure to follow basic password security best practices.
Data exposed
- 164 million user email addresses and passwords
- Names, phone numbers, addresses
- Other profile data
How Did the Breaches Happen?
LinkedIn’s data breaches occurred due to a combination of security lapses, software vulnerabilities, and hacker ingenuity.
Security Lapses
LinkedIn failed to follow some basic security best practices, making the breaches much worse than they should have been. Storing passwords in plain text rather than encrypting them is a major security no-no, as it means that anyone gaining access to the database can immediately see the passwords. LinkedIn also failed to implement sufficient authentication requirements, making it easy for hackers to gain access and extract data once inside.
Software Vulnerabilities
Hackers were able to exploit vulnerabilities in LinkedIn’s software to gain unauthorized access. Keeping software up-to-date with the latest security patches is critical for preventing intrusions. LinkedIn may have been running outdated software with known vulnerabilities that were exploited by the hackers.
Hacker Skills
The hackers were able to use a variety of techniques such as credential stuffing to gain access to LinkedIn accounts. Credential stuffing is when hackers try leaked credentials from one site on other major sites. With over 164 million sets of credentials to work with, hackers had a vast library to pull from. Brute force attacks may have also been utilized, trying millions of password combinations to crack accounts. The hackers demonstrated patience, persistence, and technological skills to gain access and extract user data from LinkedIn systems.
What Was the Impact of LinkedIn’s Breaches?
The LinkedIn data breaches had significant repercussions for impacted users. The hacked LinkedIn credentials also had downstream effects across the internet.
Account Safety
The most immediate impact was that millions of LinkedIn accounts were compromised. Hackers could access and take over accounts, lock out the real users, and use the accounts for criminal activity. Any personal data in the accounts was now also in the hands of criminals.
Credential Stuffing
The large caches of email addresses and passwords were leveraged for credential stuffing attacks across the web. Hackers tried the credentials on other major sites like Gmail, Hotmail, iTunes, and even banking sites. With millions of credentials to cycle through, many accounts on other sites were breached.
Phishing Scams
Users’ email addresses were now known to scammers, who could launch targeted phishing scams. Masquerading as LinkedIn or other sites, scammers tried to get users to click malicious links, give up more info, or install malware.
Reputational Harm
The breaches hurt LinkedIn’s reputation with users and raised questions about its trustworthiness. Users had to decide whether it was safe to continue using a platform that leaked their data.
Class Action Lawsuit
Unhappy users banded together to sue LinkedIn, eventually reaching a $1.25 million settlement in 2015 over the 2012 breach and LinkedIn’s handling of it.
How LinkedIn Responded to the Breaches
Following these high-profile breaches, LinkedIn took a number of steps to try and regain user trust around security:
- LinkedIn began encrypting and salting stored passwords to render stolen passwords useless if breached again.
- Two-factor authentication was introduced as an added account security measure.
- Security teams and processes were updated to better detect and respond to threats.
- Bug bounty programs were established to encourage friendly security researchers to find and report vulnerabilities.
- Messaging was improved around security incidents to be more transparent with users.
While no security is perfect, LinkedIn has made significant security improvements since the breaches occurred. However, some users remain wary given the large scale of the stolen data.
Best Practices for LinkedIn Users
Despite LinkedIn’s security improvements, users should take steps to protect themselves given the company’s breach history:
- Enable two-factor authentication on your LinkedIn account.
- Create a unique, complex password for LinkedIn that is different from passwords on other sites.
- Be skeptical of unsolicited emails claiming to be from LinkedIn.
- Monitor your LinkedIn activity for any unauthorized access.
- Be cautious of third-party apps requesting LinkedIn permissions.
- Avoid connecting with strangers or suspicious profiles.
Following these best practices helps minimize your risk from LinkedIn data breaches oraccount takeovers. Be especially wary of phishing attempts leveraging personal info from the breaches.
The Future of LinkedIn Security
While no one can guarantee systems are 100% breach proof, LinkedIn has shown commitment to significantly upgrading its security after being caught flat-footed. The company now has a team of seasoned security experts working diligently to protect user data. Some of their priorities include:
- Utilizing AI to detect suspicious activity and possible intrusions
- Adopting a zero-trust security model that assumes breach attempts are constant
- Implementing robust encryption, hashing, salting for stored user credentials
- Employing penetration testers to probe for weaknesses
- Rapidly deploying any security updates for software vulnerabilities
LinkedIn also continues expanding its bug bounty program to tap into the crowdsourced power of friendly hackers. With these initiatives and others, LinkedIn aims to be an industry leader in security going forward.
Conclusion
LinkedIn’s data breaches exposed millions of users’ personal information and highlighted security practices that were grossly inadequate at the time. While the damage to users and LinkedIn’s brand was significant, the company has taken major steps to upgrade its security and regain user trust. Users, however, should still take precautions given the sensitivity of the stolen information. Going forward, LinkedIn will be under the microscope to ensure its security matches its size and continues improving against evolving threats. Careful security practices combined with user vigilance will help keep LinkedIn data breaches firmly in the past.