On Tuesday Motherboard reported that a hacker was advertising the login
information for over 100 million users from 2012 for sale on a couple
websites. The hacker has been giving out a sample of 1 million of the users
to sites and on Wednesday a couple news and blog sites are confirming that
it appears to be legit. At the same time a hacker team called OurMine has been tweeting that it hacked a few LinkedIn accounts, but they haven’t said that it’s connected to the 2012 hack.
The first question that comes to mind is “Do I care about something from
2012?” but it’s immediately followed by “Have I used LinkedIn since 2012?”
and “When was the last time I changed my passwords?” Since LinkedIn uses
your email address as the username anyone that gets this information might
try using the email and password combination anywhere and everywhere. Keep in mind that whoever buys the data is likely going to feed it into software instead singling out people or manually trying every password. In short, it’s enough to change just your LinkedIn password if you are using the same email and password combinations elsewhere.
The passwords were secured with SHA1 hashing. It secures the passwords
with a math equation so that if my password is “OpenSesame” it will show up
in the files as “6dbb779fd96cd347fc1d8145b3887c8b2cbcb258”. What sucks
about this is that SHA1 is out of date, so anyone that can search web
engines for SHA1 flaws can do decryption of the passwords on their own. A
twelve year old might be getting this information right now. According to
the hackers they have already run decryption on 90% of the data.