In May 2016, LinkedIn was the victim of a massive data breach that exposed the personal information of over 164 million user accounts. This breach ranks as one of the largest and most severe data breaches in history due to the sensitivity of the stolen data.
What data was compromised in the LinkedIn breach?
The hackers were able to obtain email addresses, passwords, and other personal data from LinkedIn user profiles. Here is a summary of the data that was compromised:
- Email addresses: 167 million email addresses were leaked, representing the majority of LinkedIn’s user base at the time.
- Passwords: Over 6.5 million hashed passwords were leaked. While the passwords were encrypted, security experts warned they could be cracked.
- Other profile data: Names, phone numbers, physical addresses, geolocation data, and more were exposed for millions of members.
In total, information from over 164 million LinkedIn accounts was compromised and posted for sale on the dark web. This represented a staggering majority of LinkedIn’s user base, which had over 433 million members at the time.
How did the breach happen?
The LinkedIn data breach was the work of Russian cybercriminals associated with a hacker group known as Tsar Team (1). They exploited a vulnerability in LinkedIn’s API system to gain initial access.
From there, the hackers were able to obtain LinkedIn user data, likely by utilizing credential stuffing attacks. In credential stuffing, hackers take lists of usernames and passwords leaked from other breaches and “stuff” or try them against the login pages of other sites. This allows them to gain access to accounts with reused credentials.
Once inside, the hackers were able to exfiltrate the trove of user data that was later leaked online. LinkedIn confirmed that their systems were compromised in a blog post on May 18, 2016 (2).
When did LinkedIn discover the breach?
LinkedIn became aware their systems were compromised in early May 2016. On May 5th, the hackers listed a sample of the stolen data for sale on the dark web.
LinkedIn then launched an investigation, confirming on May 18th that user data had indeed been taken. However, there are indications LinkedIn may have known about a potential breach as early as March 2016 (3).
Some security analysts criticized LinkedIn for not discovering and disclosing the breach sooner. However, LinkedIn maintained there were no signs of suspicious activity prior to May 5th when the sample of data was listed for sale (4).
How did LinkedIn respond?
Upon discovering the breach, LinkedIn took the following steps:
- Launched internal investigation into compromised systems.
- Engaged law enforcement and outside cybersecurity experts.
- Revoked compromised credentials to prevent further misuse.
- Encouraged users to change passwords on other sites if reused.
- Released public statements notifying users of the breach.
- Provided an online tool for users to determine if they were impacted.
LinkedIn also stated they would accelerate previously planned security upgrades, including:
- Implementing password hashing techniques like salting and stretching.
- Enhancing tools to detect compromised accounts.
- Strengthening account lockout policies for failed login attempts.
While critics argued LinkedIn should have detected the breach sooner, LinkedIn was generally praised for their swift and thorough response once the incident was discovered (5).
What was the impact of the breach?
The LinkedIn breach had several major consequences:
- User trust was damaged – Many members were understandably upset that the platform failed to protect their data. Some closed their accounts as a result.
- Credential stuffing surged – The release of millions of real usernames and passwords drove a rise in credential stuffing attacks against other sites.
- Class action lawsuits were filed – LinkedIn faced multiple lawsuits due to the breach, claiming they failed to adequately protect user data.
- Scams and spam increased – The flood of personal data enabled follow-on phishing attacks and scams impersonating LinkedIn.
While the monetary costs were estimated to be in the millions, the bigger damage was to LinkedIn’s reputation and relationship with its users. However, besides an initial drop in membership, LinkedIn saw minimal long-term negative impacts to its business (6).
Could LinkedIn have prevented the breach?
While no system is entirely secure, experts believe LinkedIn could have taken steps to prevent or minimize this breach:
- Impose stricter API controls to limit data access.
- Implement multi-factor authentication for user accounts.
- Monitor systems for suspicious activity indicating unauthorized access.
- Encrypt sensitive data fields like passwords using robust methods.
- Rapidly detect and block credential stuffing attacks.
Adopting security best practices around access controls, monitoring, encryption, and credential security may have detected malicious activity sooner or mitigated the amount of data loss.
What lessons were learned?
The LinkedIn breach highlighted important data security lessons, including:
- Defense in depth is critical – single controls will fail.
- Encryption of sensitive data can limit exposure.
- Credential stuffing is a severe threat.
- Breach disclosure and help for customers is important.
- Security requires constant vigilance and investment.
Many companies learned from LinkedIn’s mistakes and took steps to strengthen their own security. LinkedIn itself invested heavily in security after the incident, and some analysts say they emerged more secure as a result (7).
Conclusion
The LinkedIn data breach of 2016 stands as one of the largest and most damaging security incidents to date. Over 160 million users had their personal data compromised and sold on the dark web.
This breach highlighted major vulnerabilities around access controls, encryption, credential security, and breach response. While no systems are impenetrable, experts agree LinkedIn could have implemented protections to detect or prevent the attack. The company paid a high reputational cost but ultimately recovered.
The LinkedIn incident serves as an important case study for companies looking to learn from past mistakes and strengthen their own security. It demonstrates the increasing sophistication of cybercriminals and the need for layered defenses and constant vigilance. By learning these lessons, organizations can better secure their systems and protect their customers going forward.