Ideal time to change your password: It has just been announced that millions of LinkedIn passwords have just been leaked on the Dark Web.
It all started in 2012, when an attack on LinkedIn’s central database ended with the theft of its users’ login information – that is, email and password.
At the time it was already a very controversial case for many reasons, and not only reflected a significant lack of security on LinkedIn, but was also criticized the company took too long to notify its users so they could change the password. LinkedIn at the time excused itself by ensuring that it sought to convey the information clearly and avoid confusion.
How millions of LinkedIn passwords ended up outdoors
However, it has now been discovered that reality the attack was much more serious than LinkedIn originally announced, and now we are seeing the consequences of this with the publication of 117 million emails and passwords; This data is accessible using the TOR network that allows anonymity, also known as the dark web.
The hacker behind the attack, who calls himself Peace, asks for 5 bitcoin, about 2,012 euros, in exchange for information from 167 million LinkedIn accounts, although it only has the mail and the password of 117 million accounts.
Passwords were originally stored on LinkedIn servers using SHA1 encryption, but no salt. It is known as salt or salt, a set of random bits that is put at the end of what we want to encrypt, in order to make decryption more difficult.
Since LinkedIn decided not to implement this additional security measure, passwords have been relatively easily deciphered, and some of the people behind the leak say they managed to crack 90% of the passwords in just 72 hours.
Several security sites, such as Have I Been Pwned, have been able to contact some of the users who appear in the leak, and have confirmed that the passwords are accurate and that they work, but they did not receive any notification from LinkedIn in 2012.
LinkedIn has a lot to explain
Everything indicates that LinkedIn tried to pass the attack as something less than it really was, and Only notified a small portion of affected users. Representatives of the company have not wanted to make many statements at the moment, although the message they seem to send is that they did not really know how much had been stolen.
We are not just talking about LinkedIn; those who buy this database can test those email addresses and passwords on other services, since most people still use the same password on several websites (and for things like this it is not recommended).
So if you use LinkedIn, the best thing to do is not to wait for the service to notify you, and already change the password.