It has been reported that a hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users. The hacker, known as Peace, is selling the data on the dark web illegal marketplace, The Real Deal, for 5 bitcoin (around $2,200). Hacked data search engine, LeakedSource, also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords.
Lisa Baergen, director at NuData Security reacts: “I sound like a broken record; but here we are again. Just as consumers start to feel secure, news of yet another breach hits the wire. No matter how long it takes to come out, the bottom line is that you have to stop thinking “ what IF” and accepting it should be seen as “ WHEN”…
Although usernames and passwords can be changed, victims of a breach need to understand that every bit of information exposed is important and may sit dormant for some time, but Will be sold in packages in the dark web and compiled you build out solid profiles of your online IDENTITY. Fraudsters are learning that information coupled from various breaches can create more comprehensive 'identity bundles' which sell for a higher value to hackers. With more complete information, more fraud can take place.
As an example, if I'm a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. Where credit card fraud was all the rage a couple years ago, it is account takeover and new account fraud that is on the dramatic rise. We saw in our own database of billions of behavioural events annually a 10% month-over-month increase in new account fraud.
Fortunately, there are methods that online providers can take to help keep us consumers safe, while giving true insight into who sits behind the device - and know and trust it is not the hacker using all of our identity information online.
User behaviour analytics can provide victims of this and other breaches with an extra layer of protection even after the hack has occurred. We need to put a stop to these fraudsters in a completely passive and non–intrusive way to us, the consumers. This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster with our legitimate information ripped from all these breaches. Without even interrupting a user's experience, fraud can be predicted and prevented from occurring. The only way to achieve this is by truly being able to identify the IDENTITY of the user behind the device.
Good luck hackers; you can keep stealing our data; but we are going to make this data invaluable to you; and you can’t steal my behaviours! “
Rob Sobers, director at Varonis remarks: “The LinkedIn breach goes to show how a single significant breach can come back to haunt a business (and its customers) again and again. It also highlights just how in-the-dark companies typically are after a breach. After a breach occurs we usually see a statement claiming that the security team has “isolated the affected systems,” but seasoned security researchers know that far too often the scope and severity of a breach is indeterminable due to a lack of comprehensive monitoring and logging.”
Toni Gidwani, director of research at ThreatConnect Inc says: "What we are likely seeing here is the long tail of the 2012 LinkedIn breach. The good news is that basic security practices, such a not reusing passwords across different sites and leveraging two-factor authentication whenever possible - are an effective way to both prevent unauthorized access to your accounts and to limit the possible contagion when breaches occur.
The long lag time between the breach and passwords now appearing for sale suggests the data has already been mined for other nefarious purposes. LinkedIn, with its rich context of professional networks, is a gold mine for adversaries looking to social engineer targets for future attacks. Which are you more likely to open: an email from a Nigerian prince? Or a link in an article sent by someone you’ve worked with for years? Four years after the fact, the breached data set still has some nominal monetary value, which is why it’s for sale for only a handful of bitcoin. But the trickier question is figuring out who has been exploiting the breached data for the last four years and to what end."
Simon Crosby, CTO and co-founder at Bromium adds: "LinkedIn has had an awful record of securing their service, and this appears to be another confirmation that they operate without due care for the valuable information they curate. I recommend that users be very cautious of using the service because attackers will use compromised accounts to launch other attacks. Change your password now."