Everyone with a computer lives with passwords one way or another each and every day to protect our businesses and our personal lives. On June 6, 2012 LinkedIn was hacked. Yes, that was nearly four years ago. On that date it was announced that 6.5 million accounts were reported as compromised and stolen by a group of unknown hackers. Now in May of 2016 that list has been officially "leaked" and we are finding out that the initial believed list of 6.5 million was off (just slightly though – insert sarcasm here). The list contained 117 million account passwords from what was initially thought of. That is 110.5 million additional accounts that were stolen than previously expected.
Security is ever more paramount in our lives today. The more information that we present online the more we need to protect our online reputations.
When the initial number was released by LinkedIn back in 2012 they believed (or reported) based on their internal logs that only 6.5 million accounts were compromised. LinkedIn notified every account that they believed was compromised, made them change their password, and believed all was good. From a standpoint of doing due diligence it sounded good at the time. Those that were not compromised it was recommended they change their password as well but not required. Hindsight today would recommend that everyone should have changed their passwords. Many users did not change their passwords and four years later it is believed they still have not changed since 2012.
Passwords are typically stored in what is called a HASH format. This format takes your password and converts it into a series of numbers, letters, and other characters within the computer. LinkedIn in 2012 used a hashing algorithm called SHA-1. This is a very old computer algorithm originally created back in 1993 and one that is no longer recommended for use. We do not know what they use today but would only hope it is something more secure. As an example of what a hash would look like if you had a password of "password" the SHA-1 hash would look like "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8".
The problem with the implementation that LinkedIn used was every single person that had the password of "password" looked the same. They did not use what is called "salt" which added a bit of random and unique information to each account. This means when you searched the stolen data for "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" you immediately knew everyone that used the word "password" as their password.
This list is the initial list of compromised passwords from June 6, 2012 when it was believed that only 6.5 million accounts were compromised. Now with 117 million these could be different but are still important to know and to never use.
Knowing now that more than 6.5 million accounts were compromised we can’t say anymore if someone’s account was compromised or not. Back in 2012 LastPass released a free tool to check to see if your password was compromised based on the believed SHA-1 passwords. You can check it yourself at https://lastpass.com/LinkedIn/. This verification tool now is more of a fun check than being a practical tool to know if you were hacked as the 117 million accounts that were compromised only 6.5 million of them LinkedIn knew about.
Yes, there were many. At the time of the LinkedIn hack there were two other major reports of hacking attempts at that time. These two companies were eHarmony and Last.fm. LastPass also has tools for checking these accounts as well. With what we are learning about LinkedIn though if you ever had an eHarmony or Last.fm account you might want to consider them compromised as well.
To change your LinkedIn password or find when you last changed your LinkedIn password do the following:
Your information is your reputation online and could affect your current or future employment. Change your password whether you had a LinkedIn account in 2012 or not. It is better to be safe than sorry. If you use the same password on more than one site, we would strongly recommend rethinking that thought process. This way if one would be compromised it is only this one account and not any others.