The headline screamed at me this morning when I opened my inbox, “117 million LinkedIn user credentials compromised.” I had no reaction as I went to get my first cup of coffee. Credentials have become a commodity to hackers and are sold widely and cheaply in different venues—both in the deep-and open-web. Stolen credit cards and credentials are being offered and exchanged openly every day on social media platforms including Facebook. Open your Facebook app, type in “cvv2” in the search bar, and you will find thousands of stolen personal and financial credentials being sold or given away for free in plain sight.
As I started to read through the news cycles and various reports on the LinkedIn breach, I had many questions that bothered me about it that typically don’t when I see the headlines. Perhaps we are just desensitized in the security industry, but here are the lingering questions I had. Some of which I was able to get perspective on thanks to having access to some of the smartest threat researchers in the world.
My first question was: Knowing the prices we always see reported for stolen credentials in the black market, is there anything to say about the asking price of $2,200 for 117 million passwords? That equates to about 53,000 credentials for $1.
The response: As for pricing, here’s a statistic from our own operation: During April alone, we recovered nearly one million compromised accounts (username and password), and all of them were shared freely on open-web locations. With that in mind, $1 for 53K is expensive!
That brought me to my next question. Is the data quality questionable considering it is being released nearly four years after the initial breach?
The response: The quality is not the issue. Once analyzed, I am sure we will find that most passwords are Password or 123456.
(UPDATE: This turned out to be true as it was released that the most widely used password was “123456” with 753,305 accounts, followed by “linkedin” with 172,523, and“password” with 144,458. Also, the original report on Motherboard stated that despite the passwords being encrypted or hashed, 90% of the passwords were cracked in 72 hours).
However, the one question that I can’t seem to get a consistent answer and have not seen anyone else comment on is if the breach happened in 2012, why are all the credentials just being leaked four years later?
Like many organizations, cybercriminals have a big data problem too as they have a surplus of credentials they are buying and selling in the underground. Also, it’s likely this is not the first time they have been marketed for sale, but rather just the first time it has been reported because many higher end forums have tightly controlled membership – this time though some “friendlies” had infiltrated it and reported.
So with that said, let’s consider the far-reaching implications. Beyond the obvious threat of potential compromise to other organizations as a result of consumers recycling passwords, there is an inherent risk to corporations. What concerns me most about this breach is for the people using their business email to register for LinkedIn. Since we all know how rampant password reuse is, it makes it easier for hackers to identify organizations now and try to hack them.
More than anything, the LinkedIn breach screams in bold and capital letters: PASSWORDS ARE DEAD. These breaches MUST serve as a wake-up call to any organization securing access to user data with simple usernames and passwords. Never mind advice about not storing passwords in an insecure way. How about not using password-only authentication at all?
Wells Fargo was one of the first organizations to very publicly declare the death of passwords by rolling out a plan to replace them altogether with stronger authentication methods within the next five years. Others need to follow their lead. It is time for all organizations to adopt stronger authentication methods, such as biometrics, to protect consumer and enterprise access to data.