The obvious takeaway from last week’s LinkedIn data breach revelation where we learned hackers were selling 117 million LinkedIn usernames, email addresses and passwords from a 2012 breach is, change your passwords-and often.
The not so obvious takeaways come from noted security expert Troy Hunt, creator of the cyber-breach service Have I Been Pwned? and author at Pluralsight. He maintains that the LinkedIn breach illustrates a new hacker ethos and a shifting demographic when it comes to the types of hackers riling the likes of LinkedIn, VTech, TalkTalk and other billion-dollar companies stung by a recent data breach.
“Breach data markets used to be more cloak and dagger. Now the data is a commodity. LinkedIn data is for sale on not just the dark web, but also sites like Leaked Source who are selling what are essentially day-passes to the data,” Hunt said.
When LinkedIn data surfaced on the web last week, Hunt played a small but important role in verifying the data was valid for journalists. The original LinkedIn hack occurred in 2012 and at the time was thought have involved 6.5 million users. But last week, website The Real Deal said it had 167 million SHA-1hashed LinkedIn account credentials tied to the 2012 breach for sale for 5 bitcoins or $2,200. LinkedIn filed a cease and desist order to Leaked Source and began to invalidate passwords for all accounts created prior to the 2012 breach that haven’t updated their password since.
The danger for LinkedIn users is that while most of the four-year-old LinkedIn data is garbage, there are tens of millions of email addresses out of the 117 million tied to passwords that will still unlock accounts elsewhere on the web today, Hunt said.
“With data breaches making headlines every day, we have created a social immunity to them,” Hunt said. This lessens the odds a victim might be motivated to actually take the time to change their universe of potentially impacted passwords.
Hunt says the cumulative effect a commodity market for breached data paired with the public’s breach fatigue is nurturing a new generation of hackers clueless to the social and criminal implications of hacking. He describes a type of gameification of breaches by young hackers.
“Sometimes these breaches are just kids being kids. In previous generations it might have been a juvenile delinquent spray painting a car or doing something stupid like that. In many cases (today) it’s very young hackers finding vulnerabilities and causing billion dollar brands major headaches,” Hunt said.
Not to discount a class of well-organized and seasoned hackers that do exist, but Hunt points out, it was a 15-year-old boy behind a major breach against phone company TalkTalk in 2015. In the case of a VTech breach last year it was a 21-year-old that was arrested. The VTech hacker, who exposed personal data of 12 million users and 6.4 million minors, said he did not intend to sell or use the data, but instead shame VTech for its weak security practices.
“Many of the people breaking into these systems are not aware of the severity of what they are doing? I don’t think they realize it’s highly illegal and something that they could go to jail for. It’s almost as if they don’t think they’re doing anything wrong. Rather, they view themselves as genuinely making the web a better place.”
That said, Hunt believes that the brash idealism that seemed to motivate hackers in the past may be giving rise to a new pragmatism among others within the hacker community. “The way the data is being commercialized is very mainstream. They post the data on easily accessible sites to the public and then the sellers are very shrewd and make an effort to reach out to the media to gain press coverage. It’s very brazen in that regard,” Hunt said.
In the case of LinkedIn, the data cache that surfaced last week followed a familiar hacker playbook. First there was a curation of media to raise awareness of the incident and consequently drive interest of potential buyers, Hunt said.
“That was followed by a bunch of sites popping up selling or sharing the data. Then the legal notice go out and the sites shut down and popup somewhere else. It’s beginning to sound very familiar?” Hunt said.