In another instance of a major attack on one of the big social media networks is LinkedIn. It has been reported that over 117 million LinkedIn accounts’ credentials are up for sale online. What is even more bizarre is the fact that these ids were hacked not recently but almost four years ago in 2012.
LinkedIn, in 2012 announced that 6.5 million ids were hacked and the credentials were stolen. Accordingly, these users were asked to change their passwords when they logged into their account the next time. LinkedIn deactivated these login ids and informed the users who were then asked to change their login passwords.
However, what was missed by LinkedIn was the magnitude of the incident. Not just 6.5 million but rather 117 million passwords were stolen that are now recently have been put for sale. It clearly shows that LinkedIn failed to accurately or even vaguely determine the seriousness of breach. It could only determine that 6.5 million accounts were compromised and failed badly at judging the right number. Its prediction was way off and after four years the incident has resurfaced.
As now these accounts were offered on sale over the internet, LinkedIn realized it and deactivated all the passwords. It then sent a mail to all the users asking them to reset their passwords. However, this time, it seems that the company has learned from its mistakes. It has implemented salting and has asked users to reset their passwords using special characteristics, numbers and capital and small letters.
Until now LinkedIn had used hashing where the passwords are converted into strings and encoded. But, they are also easy to crack as users are usually not careful about their passwords and use very common or general passwords. It is them easier for the hackers to crack them. Salting on the other hand, uses a combination that is difficult to predict and asks the users to create complex passwords before they are encoded and stored. In this way, passwords become difficult to crack.
Although now that LinkedIn is asking users to reset their passwords, the point remains why it did not ask them to do so in four years proactively simply to enhance its security, which proves that it was not serious about the security of its users and only when these logins were up for sale, LinkedIn took a step in the right direction as a remedy and not as a precaution.