LinkedIn is striking back against a website attempting to monetize the 117 million usernames and passwords stolen from the company as part of a 2012 data breach. Website LeakedSource is reporting lawyers representing LinkedIn have served the company a cease and desist order on Wednesday alleging the company is in violation of California’s Computer Fraud and Abuse Act because it is “illegally copying and displaying LinkedIn members’ information” without their consent.
Earlier this week, Over 117 million LinkedIn user logins went up for sale on the black market “The Real Deal” by hacker “Peace” for five Bitcoins ($2,280). LeakedSource, which is selling access to the data via a subscription model, claimed it is in the possession of 117 million of the LinkedIn account records that include email address and unsalted SHA-1 hashed passwords.
LinkedIn told Threatpost, “We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply. As a result we have sent a C&D to LeakedSource,” according to a company spokesperson. LinkedIn added it is investigating the resale of its data thoroughly beyond LeakedSource, but at this time no other resellers have been served with a cease and desist notice.
LeakedSource told Threatpost it is in the process of retaining legal counsel and deferred inquiries to its public statement when asked for further comment.
“We received a typical cease and desist letter from LinkedIn’s lawyers and even though we think they’re blowing steam out their ass, for the next couple of days we are going to censor hashes from that particular data set while we consult with our legal team from OUR jurisdiction,” wrote LeakedSource in a responding to the LinkedIn legal action posted to its website.
According to the LeakedSource statement, LinkedIn is also demanding the company hand over and then delete all LinkedIn usernames and passwords.
According to security expert Troy Hunt, LinkedIn has few options. “There’s not a lot LinkedIn can do in this case beyond informing victims via emails and forcing password resets, both of which LinkedIn has already done,” he said.
LeakedSource claims California laws are not applicable to the company because it is based outside the United States. The company also claims it is not making the entire database available for sale. It claims its business model is to sell subscriptions to individuals interested in searching its database collection of publicly available, compromised databases to verify if their credentials have been compromise. Prices start at $0.76 a day with monthly subscriptions also available.
In the LeakedSource’s terms of service it states, “This site’s goal is to make it easy to find where your data has been released publicly such as 000Webhost.com, Xsplit and Neopets.com databases. We are not responsible for any data leaks, we just find them for you and our scripts make them searchable.”
However, security experts say LeakedSource can easily be used by customers to purchase credentials for anyone within its databases.
LeakedSource claims to have only been in business for several months and provides access to “hundreds of databases” acquired by “scouring the dark web for data” and not via hacking. “Some of what we find is very new, some is fairly old. We’re scavengers, not hackers — we don’t get to pick and choose,” it wrote.
LinkedIn says it has begun a password reset for an undisclosed number of customers. “We have begun to invalidate passwords for all accounts created prior to the 2012 breach that haven’t updated their password since that breach. We are letting individual members know if they need to reset their password,” the company said in a statement.
The message to LinkedIn customers reads in part; “We’ve recently noticed a potential risk to your LinkedIn account coming from outside LinkedIn. Just to be safe, you’ll need to reset your password the next time you log in.
According to a KoreLogic Security analysis of the alleged LinkedIn breached data it believes the entire database is real. An analysis of the revealed the LinkedIn database contains 164,590,819 unique email addresses, 177,500,189 unsalted SHA1 password hashes and 61,829,207 unique hashes.
“As of Thursday May 19 14:09 EDT 2016, we’ve cracked 65% of the lists, after about two hours work on our private distributed cracking grid. Approximately 41,500,000 plain-text hashes have been recovered so far. There are literally thousands of new cracks coming in every minute, so the numbers are a bit rough,” KoreLogic Security wrote.