The Original Hack
On the 5th June 2012, it was reported that 6.5 million LinkedIn usernames and passwords had been stolen by Russian ‘black hat’ hackers. The passwords were hashed with SHA-1, but a salt was not used - a weak practice that LinkedIn have since changed.
By 6th June 2012, the hashed data had been posted online and within 24 hours 3.5 million of the hashed passwords were cracked using rainbow tables and available in plaintext for those with criminal intent to use as they pleased.
Confessing to the breach, LinkedIn advised that it had identified the vulnerable users and enforced a password reset on the compromised accounts - or so they thought...
The Extended Crime
Fast-forward to May 2016 and it has now been revealed a further 100 million accounts were compromised in the original hack. For around £1,500, this stolen password information can now be bought online. It has been reported that this database contains approximately 167 million accounts, of which roughly 117 million have both username and password information. It has been claimed by parties with access to the stolen information that 90% of the passwords were cracked within 72 hours of them gaining access to the hashes.
Who's Really To Blame?
A large portion of the blame lies with LinkedIn’s encryption policies. In 2012, it was LinkedIn’s policy to hash its passwords before storing them, but not to salt them.
Hashing is a one-way process, which uses an algorithm to convert plain text into obfuscated data strings. Salting is the added precaution of adding a number of random characters into the password prior to it being hashed, which adds an increased layer of difficulty into the cracking process.
Using both hashing and salting was considered best practice in 2012 meaning LinkedIn’s decision to hash the passwords without applying a salt has been noted as a failure to adequately protect its users.
Since then LinkedIn has changed their security processes and now uses a salt for hashing user passwords. They are also encouraging users to be more mindful of the passwords they use.
An analysis of the stolen passwords has shown that internet users make poor choices when creating secure login credentials. It has been revealed that of the breached details the password “1234567” was used more than a million times with the use of “LinkedIn” as a base word in second place with more than 207,000 uses. Surprisingly – or perhaps unsurprisingly – the word “Password” is revealed to appear as a password all too many times. But even beyond these fundamentally basic passwords not enough people are using passwords complex enough to deter and avoid decoding attempts.
How Does This Affect Your Company?
It's extremely likely that employees within your business will have had their LinkedIn credentials compromised from this breach. What's more likely, is that those employees will being using the same credentials for other applications, including business apps.
This website will tell you whether any of your accounts have been compromised. If accounts have been compromised, the passwords on those target applications should be changed immediately, and on any other applications where the same password is being used.
Passwords and authentication security are at the heart of protecting your company - both in terms of third party applications in use by employees, but also in safeguarding your organisation's internal systems and data from a data breach. Weak end-users practices are the biggest risk to your organisation, with 65% of data breaches being caused by employees' weak passwords and weak password practices.
What Can You Do to Protect Your Organisation?
Be smart about access and authentication policies; accept that employees are your weakest link and that changing their behaviour is difficult, if not impossible. You can effectively save employees from themselves by making some changes that don’t require them to change the way they work. This can come in a number of forms:
- Remove the need for passwords – where possible, organisations can replace credential-based authentication with token-based authentication (e.g. SAML) by implementing Single Sign-On (SSO).
- Auto-generate passwords – for applications where removing password authentication is not possible, organisations can implement SSO that will auto-generate strong passwords on users’ behalf. This eliminates the vulnerabilities introduced by employees, ensuring passwords are long, strong and unique. Additionally, the SSO auto-fills these credentials when users need to sign into their applications, so employees don’t need to actually remember these complex passwords – a significant usability improvement for employees.
- Mnemonic Password Practices – in situations where users would still need to remember passwords, e.g. Active Directory, it’s important to educate employees on how they can make passwords stronger, but also easier to remember. One such technique is using mnemonics to create a unique password which is all but impossible to crack, e.g. taking the first letter from each word of a sentence such as "My best friend just bought a new iPad which is really great” and adding some entropy would create the password MbFjB&nIpw1rG!. This will still require memory, but remembering a structured sentence and applying it as a password is easier than remembering a random collection of letters, numbers and symbols. The resulting password MbFjB&nIpw1rG! would take a supercomputer around 500 billion years to crack.
If there’s one thing to take away from this blog, it’s that any organisation, no matter how large can be the target for a hack and become the next LinkedIn. In fact, 90% of large organisations and 74% of smaller organisations had a security breach last year (Source: HM Government Information Security Breaches Survey 2015).
If you'd like to discuss any of the above topics above in more detail or find out how My1Login's Single Sign-On can protect your organisation, come meet us as InfoSec 2016 next week.