Another scandal with hacked accounts has rocked the network and gave us another reason to think of the importance of two-factor auth for everyone.
This time, the data protection system of LinkedIn, the largest social network for business people, was compromised. Actually, this data leakage happened four years ago, in summer 2012. Back then hackers got an access to the email addresses and passwords of the LinkedIn users. Shortly after that 6.5 million of them were put on the Internet. The company could not deny hacking and decided to reset the passwords for those accounts whose data were published. But the losses the LinkedIn data protection system suffered in 2012 appeared to be higher than it was supposed earlier.
A few days ago a hacker who calls himself Peace_of_mind posted an offer for the sale of information about the LinkedIn users on one of the DarkNet trading platforms. The hacker sells the data of 167 million accounts (117 million of them with passwords) for the $2,200, but in Bitcoins. According to the LinkedIn experts and representatives, this is that very database “leaked” four years ago.
Soon after the database of 167 million LinkedIn users went on sale, a group of fraudsters OurMine Team hacked several Twitter and Tumblr accounts of famous people. Among the victims are Markus Persson, an author of a famous game Minecraft, a pop star David Choi and even the founder of Twitter Biz Stone. The hackers argue they didn’t use the data of 2012 leakage. But all the victims had LinkedIn accounts bound to other accounts and were among those compromised in 2012. Is it a coincidence?
What should the LinkedIn hacking victims do?
In order not to lose more than has been lost because of the hackers’ attack and the negligence of LinkedIn leadership you should immediately do three following things:
- Change your LinkedIn password. Although the service has already reset the passwords, it is still better to choose your own combination. After the incident the administration of this social network cannot be trusted one hundred percent as it has been hiding the scale of the data leakage for four consecutive years – apparently hoping that everything “will melt away” on its own. Thus, it is wise to create a new strong LinkedIn authentication password according to all safety rules.
- Change the passwords for all your accounts. Most accounts on different resources are connected in one way or another. Having hacked one of them, the fraudster can get access to others (as it has probably happened to Choi, Stone, and others). In spite of all precautions, even now a large number of people use at best only 2-3 passwords for different websites. Sometimes, they have only one “universal” password for all the accounts. Under these conditions, the effectiveness of user data protection tends to zero. Thus, only the thought-out authentication on each resource can save the situation. Having a different password for each account is a necessary precaution.
- Use two-factor authentication. To avoid the recurrence of such stories in the future, use two-factor auth on all the websites supporting this function. Even if the fraudsters hack public databases, they cannot take control of, at least, those accounts that are protected with two-factor auth.
The last point should be considered in more details. Many users believe that 2-factor authentication is troublesome, time-consuming and not always reliable. I must say, this point of view is not unreasonable if you mean the usual 2FA (2-factor authentication) via SMS-messages. It is not a problem for experienced hackers to intercept an SMS. Telephone networks typically use open unencrypted communication channels. So is it worth spending time on sending and receiving one-time passwords, which can be intercepted?
Today two-factor auth methods go beyond the SMS-messaging. One of the best user authentication tools is hardware token. Using the hardware security token you can make 2-way authentication more secure. TOTP hardware tokens operate autonomously and generate one-time passwords without connecting to open networks. Unlike computers and smartphones, the autonomy of the hardware token prevents it from being infected by Trojans or other viruses. Modern hardware tokens even provide an opportunity to change some options of the password generation without affecting its reliability. For example, the Protectimus OATH hardware tokens (Slim mini, Smart, etc.) allow changing some settings: choosing the length of the OTP, activation of the PIN-code protection, and the client can even setup the necessary lifetime of the generated OTP passwords.
These features can significantly complicate the interception and guessing of the password by fraudsters.
Nowadays, the majority of sites and services, including LinkedIn, support two-factor auth. But nobody usually forces to use it. So, it is up to you to decide whether your network life to be safe and secure or not.