• United States




LinkedIn data breach still causing problems

Jun 07, 20164 mins
Endpoint ProtectionSecuritySocial Networking Apps

Failing to take basic security precautions with website passwords puts your data at risk

Do you remember back in 2012 when LinkedIn was hacked? Around 6.5 million user passwords were posted on a Russian blog. There was a mandatory password reset for affected users, and LinkedIn released a statement advising people to enable two-step verification and use stronger passwords.

Four years later, and the passwords of 117 million accounts were compromised.

Worryingly, this came to light only when a hacker put them up for sale, offering data from 167 million accounts in total. If you haven’t changed your LinkedIn password since 2012, you could be at risk. Tech savvy is no protection, as evidenced by the fact that a hacker group used the LinkedIn password dump to hack Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts.

Are you at risk?

The biggest risks here are for people who didn’t change their LinkedIn password after hearing about the 2012 breach and also made the mistake of reusing the same password for another account. Hackers will reuse the same email and password credentials elsewhere as they hunt out further details about you that could be used to steal your identity and turn a profit. You can dramatically reduce the risk simply by having a different password for every account.

It’s also a good idea to change your password when you hear about a data breach somewhere that you have an account, even if you aren’t contacted directly to do so. You can check if your account was compromised at, where you’ll find a searchable database covering breaches at various websites, including LinkedIn.

Dealing with data breaches

LinkedIn also could have, and arguably should have, taken better steps to deal with the breach in 2012. Allowing customers to choose weak passwords and making two-step verification authentication optional is sacrificing security for the sake of convenience. LinkedIn is by no means the only company to make this decision, fearing a loss of customers if security is too burdensome.

Another common facet of data breaches highlighted here is the fact that the victim is often unaware of how deep the breach is.

Smart criminals won’t publicize a data breach or come clean about its depth because they want time to exploit the data. In this case, LinkedIn clearly was unable to determine which accounts had been compromised. Remember this came to light only when a hacker put the details up for sale. Perhaps LinkedIn should have instituted a mandatory sitewide password change as a precaution.

Take precautions now

Obviously, LinkedIn has to accept a lot of blame here. Passwords were stored in SHA1 with no salting, according to Leaked Source, which means they weren’t as secure as they could have been.

Regardless of blame, it’s worth revisiting your security practices if you want to stay safe online. Leaked Source also published a list of the most commonly used passwords. The top entry was “123456,” which is used by 753,305 people, followed by “linkedin,” which is used by 172,523 people. If you choose a password like those, you have to know you’re making it easy for the bad guys.

If you haven’t done so already, change your LinkedIn password now. There’s a built-in color-coding system that will show you if your password is strong or not. You should also avoid reusing the same password on any other website. If you have reused your LinkedIn password elsewhere, change the password on that account, too. Since you’ll be using different, strong passwords on every account, it’s well worth considering a good password manager to help you keep track of them.

You could also turn on two-step verification so that you can keep track of different devices logging into your account. This system sends you a numeric code by text to your phone anytime an unrecognized device tries to sign in, so a criminal would need your password and your cell phone before being able to log into your account.

It may seem like a hassle, but it’s worth jumping through a few hoops to ensure your data are safe.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.