LinkedIn User? Your Data May Be Up For Sale (zdnet.com)

← Back to Stories (view on slashdot.org)

LinkedIn User? Your Data May Be Up For Sale (zdnet.com)

Posted by msmash on Wednesday May 18, 2016 @04:02AM from the another-day,-another-hack dept.

An anonymous reader cites a ZDNet report: Reports indicate that a LinkedIn data breach may have led to the sale of sensitive data belonging to 117 million users. The company's website experienced a data breach in 2012, but the true consequences of the breach are only now becoming apparent. Users of LinkedIn's website in 2012 discovered that roughly 6.5 million user account passwords were posted online, and the company never completely confirmed just who was impacted by the security incident. However, a hacker called "Peace" told the publication that this information is being sold on the dark web for roughly $2,200, and paid hacker data search engine LeakedSource also claims to have the data. Both sources say there are approximately 167 million accounts in the data dump, 117 million of which have both emails and encrypted passwords.LinkedIn has acknowledged the breach. In a blog post, the company writes: Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.

72 comments

Min score:

Reason:

Sort:

Not a big deal... by __aaclcg7560 · 2016-05-18 04:07 · Score: 5, Funny

Hackers already got my background investigative interview file from the government. LinkedIn data will confirm my employment dates.
2012! by Anonymous Coward · 2016-05-18 04:08 · Score: 0

Anally change your password annually and there's not a problem.
What sensitive data? by thegarbz · 2016-05-18 04:12 · Score: 4, Insightful

How does LinkedIn have any sensitive data? All the data I put up there I did so specifically to share with as many people as possible with the hope of getting job offers.
Please sell away. Hell give it away.
1. Re:What sensitive data? by Anonymous Coward · 2016-05-18 04:22 · Score: 0
  
  This.
  Isn't the whole point of linked in to get people to contact you with job offers?
2. Re:What sensitive data? by Anonymous Coward · 2016-05-18 04:25 · Score: 1
  
  This. Isn't the whole point of linked in to get people to contact you with job offers?
  Yes, it is, which makes it a bad idea for someone to pester your network and others with spam using your login.
3. Re:What sensitive data? by Anonymous Coward · 2016-05-18 04:34 · Score: 4, Insightful
  
  They have your username+password (hashed with the weak SHA1, and probably unsalted). They probably know your current employer too.
  If you used that password (or a variation of it) somewhere else - say, in a critical system owned by your employer - it's time to change it. Like, now.
4. Re:What sensitive data? by fl_litig8r · 2016-05-18 04:35 · Score: 1
  
  Isn't that also the point of LinkedIn? I don't know how many requests I've received to join because someone with whom I have some tangential association signed up. One person joins and they spam everyone that person might know.
5. Re:What sensitive data? by Anonymous Coward · 2016-05-18 04:43 · Score: 0
  
  If you are using the same password on linkedin that you are at work, you might want to be cleaning up that linkedin profile instead.
6. Re:What sensitive data? by 93+Escort+Wagon · 2016-05-18 04:57 · Score: 2
  
  If someone claims to be an IT person but uses the same password on LinkedIn that he uses at work... I hope people aren't trusting him to do anything sensitive or important.
  
  --
  #DeleteChrome
7. Re:What sensitive data? by Anonymous Coward · 2016-05-18 05:03 · Score: 1
  
  These come to mind:
  1- People often use the same credentials for different accounts.
  2- A lot of information, albeit no SSN, towards identity theft.
  3- Private messaging may contain sensitive private information.
  Personally, I'm on the side that Facebook, Google+, Linkedin, etc should just be used as public facade...
8. Re:What sensitive data? by david_thornley · 2016-05-18 05:10 · Score: 1
  
  AIUI, SHA1 is weak in that it's possible to find collisions, not in that it's easy to find the original password.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
9. Re:What sensitive data? by david_thornley · 2016-05-18 05:11 · Score: 1
  
  Lots of people who want to establish connections with me on LinkedIn aren't IT people.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
10. Re:What sensitive data? by david_thornley · 2016-05-18 05:12 · Score: 1
  
  Personally, I'm on the side that Facebook, Google+, Linkedin, etc should just be used as public facade...
  
  I entirely agree. I assume that any information I put on any of those is publicly available. It may not be, but I'm not going to count on it.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
11. Re:What sensitive data? by thegarbz · 2016-05-18 05:17 · Score: 1
  
  If you used that password (or a variation of it) somewhere else - say, in a critical system owned by your employer - it's time to change it. Like, now.
  Actually please don't. People like this should learn their lesson even if it costs them their jobs.
12. Re:What sensitive data? by Gr8Apes · 2016-05-18 05:28 · Score: 1
  
  This 100%. I have 200 accounts, and 201 passwords....
  
  --
  The cesspool just got a check and balance.
13. Re:What sensitive data? by imidan · 2016-05-18 05:43 · Score: 1
  
  True, but if your password is ten or fewer characters in length, then it can likely be found in an SHA1 rainbow table, which are readily available. FTFA, it sounds like LinkedIn doesn't salt their password hashes, so it turns out to be trivially easy to crack most shorter passwords just given the hashed value.
14. Re:What sensitive data? by Anonymous Coward · 2016-05-18 05:53 · Score: 0
  
  If I could pay people a penny to read my resume in full I would. It may take a couple hundred dollars before I found a job offer worth the expense but eventually I would get a salary-offer worth the money.
  It's like stealing a truck of "Penny-saver" advertisements and selling them... Who pays for such a thing?
15. Re:What sensitive data? by Z00L00K · 2016-05-18 06:04 · Score: 2
  
  I use LinkedIn as a address book more than anything else.
  So it may be annoying if all the mail addresses of my contacts went widespread.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
16. Re:What sensitive data? by Anonymous Coward · 2016-05-18 06:14 · Score: 0
  
  This. I wonder if we can get them to print it on cotton paper stock too?
17. Re:What sensitive data? by Locke2005 · 2016-05-18 07:45 · Score: 1
  
  "I got 99 problems but 'ayeBitch' ain't one!
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
18. Re:What sensitive data? by Killall+-9+Bash · 2016-05-18 08:58 · Score: 1
  
  ....And you either have an eidetic memory, or are violating security principles in some other way. Would a malicious co-worker find 201 passwords on a postit under your keyboard (or worse, on your monitor?!)? Or maybe that's how many passwords your totally secure and non-compromised password management software is holding.
  
  --
  "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
19. Re:What sensitive data? by Gr8Apes · 2016-05-18 10:46 · Score: 1
  
  Apple Keychain, works well enough. No, I use no iCloud services. Yes, I tend to trust Apple in this regard, as so far there's been no indications that they actually want to see any of my data (unlike various other services, MS on multiple fronts, Google, Yahoo, etc)
  
  --
  The cesspool just got a check and balance.
20. Re:What sensitive data? by david_thornley · 2016-05-19 02:17 · Score: 1
  
  Wouldn't it be possible to make rainbow tables for other hashes also? I see the problem, but I don't see how it matters whether it's a weak or strong hash.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
21. Re: What sensitive data? by Anonymous Coward · 2016-05-19 03:05 · Score: 0
  
  Linked in sells your data. Premium accounts can lurk and view anyone.
22. Re:What sensitive data? by imidan · 2016-05-19 12:36 · Score: 1
  
  Certainly it's possible, and they're readily available. It seems to me that it's less important in this case that they used SHA1 and more important that they didn't salt. If they had salted their passwords, even if the attackers managed to learn the salt value they would still have to generate a whole custom rainbow table just for that password table. And that takes a lot of computational effort, especially for longer passwords containing a variety of non-alpha characters.
  I suppose that there are other problems with using a weaker hash, but any hash is susceptible to rainbow tables without salting or double hashing or something of the sort.
23. Re:What sensitive data? by BradMajors · 2016-05-25 16:41 · Score: 1
  
  Not everyone wants to make all their personal data on LinkedIn publicly available to everyone. Doing so makes you look desperate.
24. Re:What sensitive data? by thegarbz · 2016-05-26 04:33 · Score: 1
  
  Again, what personal data do you have on LinkedIn which isn't up there with the express purpose of advertising to the world who you are? This isn't Facebook or Tinder.
No shit sherlock by BitZtream · 2016-05-18 04:14 · Score: 5, Insightful

If you're a linked in user, YOUR DATA IS UP FOR SALE
Its in the terms and conditions. They've been doing it since day one, its their business model, its well known.
Now you're concerned that someone else stole it and is selling it?
You put the data on a public website with the intention of showing it to others. There is no reason for you to be doing anything on linked in that you do not intend to be public.
How can they 'steal' data that you are intentionally begging people to take? Thats the point of linked in to its users, YOU WANT PEOPLE TO 'STEAL YOUR DATA' on linked in.
Do you guys get shocked when you write your name and phone number on the bathroom wall and then random people call you? Thats how stupid this story is.

--
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
1. Re:No shit sherlock by Anonymous Coward · 2016-05-18 04:44 · Score: 0
  
  Want free bitcoin? http://freebitco.in/?r=576017&...
  
  Dispose of your own trash.
2. Re:No shit sherlock by cdrudge · 2016-05-18 04:46 · Score: 2
  
  If you're a linked in user, YOUR DATA IS UP FOR SALE
  There's no need for the if statement. It's an unnecessary comparison since YOUR DATA IS UP FOR SALE on the internet.
3. Re:No shit sherlock by postmortem · 2016-05-18 05:06 · Score: 1
  
  There's private portion of this "public" service, which is conversations between users. And that piece is "released" too.
4. Re:No shit sherlock by Anonymous Coward · 2016-05-18 07:11 · Score: 0
  
  If you're not a LinkedIn your data's probably still up for sale, because LinkedIn's whole M.O. is to trick people into letting LinkedIn scan their email account for OTHER people's details and storing whatever it likes without seeking consent.
5. Re: No shit sherlock by Anonymous Coward · 2016-05-18 07:22 · Score: 0
  
  Yep... My biggest regret was giving LinkedIn my real email address.
6. Re:No shit sherlock by Anonymous Coward · 2016-05-19 02:14 · Score: 0
  
  Oh look! It's the autism-hating Slashdot troll!
7. Re:No shit sherlock by FirstOne · 2016-05-19 04:28 · Score: 1
  
  Yes sir, a unique email alias I created for linkedln exclusively started receiving spam in July 2014.
  I reported this breach to linkedln, they never responded. I guess it took them a couple of years to get a clue. I immediately changed email alias address, so far no more spam, thus it appears to be a one time(so far) event.
  Fortunately I use linkedln sparingly, just some friends and family, thusly had very little information stolen. I always assume that these high profile services, like linkedln, are going to be hacked at one point or another, thus I limit posting personal information accordingly.
  .
Not a question of IF by argStyopa · 2016-05-18 04:15 · Score: 4, Insightful

It's Linkedin.
The question isn't IF your data is for sale, it's whether Linkedin is selling it directly or whether a hacker's taken it and is selling it for cheaper.
So really, Linkedin's bitch is actually that they're probably being undercut in the marketplace.

--
-Styopa
1. Re:Not a question of IF by i.r.id10t · 2016-05-18 04:43 · Score: 1
  
  Indeed. Whats that adage about "if it doesn't cost you anything then you are the product being sold" ?
  
  --
  Don't blame me, I voted for Kodos
2. Re:Not a question of IF by Anonymous Coward · 2016-05-18 16:08 · Score: 0
  
  "if it doesn't cost you anything then you are the product being sold" ?
  Well, you see, it didn't cost the Bozo, who had my email address sucked, anything. I'm on "Finkedin" not through any action of my own. The page created just for me is _wrong_ on every point, other than the spelling of my name. But to correct it would mean acknowledging the actions of inferior people, whom I chose not to associate with.
  It's somewhat amazing just how many Bozos there are. Most of them are in IT, the last refuge of dullards, but that doesn't explain everything.
Encrypted? by Anonymous Coward · 2016-05-18 04:22 · Score: 0

which have both emails and encrypted passwords

that claims to be email and hashed password combinations
Well, which is it? Huge difference.
1. Re:Encrypted? by Anonymous Coward · 2016-05-18 04:31 · Score: 1
  
  which have both emails and encrypted passwords
  
  that claims to be email and hashed password combinations
  Well, which is it? Huge difference.
  Not necessarily that much of a difference. Simple hash approaches are today fairly easily crack-able within reasonable time frames and success rate. You need an admin that is really on top of *recent* understanding of how to implement modern hash and salt algorithms and approaches if you should have the huge difference you claim and that is a rare beast indeed.
Aren't these the guys who... by Solandri · 2016-05-18 04:31 · Score: 4, Insightful

Isn't Linkedin the site where if my friend joins and leaves a box checked because he didn't read carefully, they download his entire contact list and spam all of his contacts, and I repeatedly get emails saying that he's joined and I should join too?

Handing your info to a company whose ethical standards allow them to pull shenanigans like this is pretty much the same thing as hackers getting your info.
1. Re:Aren't these the guys who... by Anonymous Coward · 2016-05-18 04:57 · Score: 0
  
  Isn't Linkedin the site where if my friend joins and leaves a box checked because he didn't read carefully, they download his entire contact list and spam all of his contacts, and I repeatedly get emails saying that he's joined and I should join too?
  Handing your info to a company whose ethical standards allow them to pull shenanigans like this is pretty much the same thing as hackers getting your info.
  At least LinkedIn isn't an ad agency.
  Then they'd be savvy enough to fool a lot of people into believing something like they'd never be evil...
2. Re:Aren't these the guys who... by OzPeter · 2016-05-18 05:49 · Score: 1
  
  Isn't Linkedin the site where if my friend joins and leaves a box checked because he didn't read carefully, they download his entire contact list and spam all of his contacts, and I repeatedly get emails saying that he's joined and I should join too?
  I thought that was FB
  
  --
  I am Slashdot. Are you Slashdot as well?
3. Re:Aren't these the guys who... by WallyL · 2016-05-18 05:57 · Score: 1
  
  No, LinkedIn is the site where [somebody who thinks he recognizes your name] joins and leave a box checked...
  FTFY
4. Re:Aren't these the guys who... by Anonymous Coward · 2016-05-18 08:15 · Score: 0
  
  Yes, I've seen many IT support ticket systems get randomly spammed by some moron (can't blame them though) who spammed his entire contact list. Think of 10-15 people who are forwarded at help@somecompany.com and tickets are created for this crap.
  Whoever is running social engineering over there is doing a damn good job.
a named hacker? impossibru! by Anonymous Coward · 2016-05-18 04:35 · Score: 0

It's like naming your favourite bogeyman. Way to miss the point, lusers.
LinkedIN by American+AC+in+Paris · 2016-05-18 04:45 · Score: 1

"may"?

--
Obliteracy: Words with explosions
"May be for sale"!?!?!?! by Anonymous Coward · 2016-05-18 04:46 · Score: 0

What the hell do you think LinkedIn's business model is?
Your data is for sale. You need to hope they don't make up extra things about you to sell.
Sad but true by s.petry · 2016-05-18 04:59 · Score: 1

This did serve as a reminder that I should change my LinkedIn Password though :)

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
1. Re:Sad but true by dbIII · 2016-05-18 14:09 · Score: 1
  
  Also don't forget to distinguish between the title that girl in HR gave you and your actual qualifications. A leading hand among a group of programmers that you have no authority over is not an "engineer" outside of your little bubble.
2. Re:Sad but true by __aaclcg7560 · 2016-05-19 02:21 · Score: 1
  
  Based on the various titles in the HR system at my job: I'm a computer engineer doing senior system admin tasks at a desktop tech pay rate.
3. Re:Sad but true by dbIII · 2016-05-19 13:37 · Score: 1
  
  Yes but you do not turkey slap readers with your HR granted job title every post or say "I know about steel in fires I'm an engineer" in 9/11 conspiracy threads - which would be fair enough if he actually was an engineer and in the correct field since I've helped with a fire investigation myself.
4. Re:Sad but true by Coren22 · 2016-05-20 02:25 · Score: 1
  
  which would be fair enough if he actually was an engineer
  What exactly makes a Systems Engineer (of which I am one) not a true engineer? What do you think Systems Engineers do?
  The term Engineer is used in many different fields, would you say that the guy who runs a train isn't a railroad engineer because he hasn't achieved the professional engineer certification?
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
5. Re:Sad but true by s.petry · 2016-05-20 04:19 · Score: 1
  
  Train engineers and Systems engineers have certifications (certain positions and places require them, like Government). Alas that does not matter to a person who has trolled my posts for years because I dared to question several aspects of the Government report on 9/11. According to the troll, questioning the narrative is "dishonoring the dead" and only done by a traitor. Questioning is worthy of a punishment by years of trolling. It's like that kid with autism that can do one thing over and over and sometimes it's really cool, but in this case it's the same pathetic trolling over and over.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
6. Re:Sad but true by dbIII · 2016-05-20 16:25 · Score: 1
  
  He isn't one - leading hand of a group of programmers. HR gave him a fancy title.
Resume Required by s.petry · 2016-05-18 05:40 · Score: 2

There is a whole lot of data in a Resume, which people post to LinkedIn as it is required for job hunting. Sure, you can restrict access to viewers of your resume but they have _YOUR_ credentials so _YOUR_ resume can be easily accessed.
These hackers with your resume would have access to street addresses, phone numbers, email addresses, Twitter handles, and other aliases and information people normally include in resumes. It may not be your SSN and bank account information, but sure can be used for Social Engineering and more nefarious purposes.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
1. Re:Resume Required by Anonymous Coward · 2016-05-18 06:11 · Score: 0
  
  I don't have my resume on there.
Your data is ALWAYS up for sale by Anonymous Coward · 2016-05-18 05:44 · Score: 0

Anytime you give any info to any organization, it is up for sale. Even the effin' Post Office.
Selling your data by Anonymous Coward · 2016-05-18 05:59 · Score: 0

That's LinkedIn's business model.
Why would you care if someone else does it too?
Already Got Phishing Request via Bogus Linked_In by Anonymous Coward · 2016-05-18 06:11 · Score: 0

I've already received a bogus Link request that was phishing attack!
Re:What sensitive data? LOTS! Meat! by Anonymous Coward · 2016-05-18 06:32 · Score: 0

How does LinkedIn have any sensitive data?
Dates of employment and where. Helps answering questions at the credit bureaus and banks when opening credit and getting money.
Coupled with an Internet search I can get enough information to steal your identity.
If you have a Facebook page and friend your mother and she friends with other relatives, I can get your mother's maiden name.
In other words, you're dogmeat to a half-assed identity theif.
That's what folks don't get - it's NOTHING to connect the dots in this day and age and create a profile of just about anyone.
Hello? McFly? by Anonymous Coward · 2016-05-18 06:43 · Score: 0

"LinkedIn User? Your Data May Be Up For Sale "
LinkedIn has obviously been selling user data for almost 4 years.
The only contacts you get today are from salesmen. Do you think they just "happened" on your profile online?
Did you know the word "gullible" is not in the dictionary?
It is for sale by Anonymous Coward · 2016-05-18 08:05 · Score: 0

If you're using Linkedin your data is already for sale, that's the entire point of Linked in.
More data than you might think by Anonymous Coward · 2016-05-18 09:47 · Score: 0

I found it a tad suspicious when LinkedIn was offering up contact suggestions from people I've only had contact with through paypal.
That's OK by Greyfox · 2016-05-18 10:46 · Score: 1

The hackers will probably sell it less and take better care of it than Linkedin did.

--
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Well by Anonymous Coward · 2016-05-18 15:22 · Score: 0

Knowledge is power and there are lots of folks and orgs around who yearn for power.
In other words: don't put too info much into these crapcloud services. Use pseudonyms if possible. Use wrong birthdays.
Send encrypted files to potential employers; send the key through another channel.
So by Anonymous Coward · 2016-05-18 15:26 · Score: 0

Set up false social media name, false email address, false birthday and so on. No need to aid the controlfreaks...
You give all your info away to be sold and then... by Anonymous Coward · 2016-05-18 15:42 · Score: 0

you get SHOCKED when somebody steals it from the guy that was going to sell it and then sells it?????
And THIS is what gets people upset?
(sigh/facepalm) There's just no fixing stupid.
Your post was about job titles by dbIII · 2016-05-20 16:37 · Score: 1

A lot more than that. You dared to use your HR granted title to try to pretend you knew about what happened with structural steel in fires - "I'm an engineer" you wrote when questioned about how you "knew" that steel doesn't soften with heat like every kid that's seen a horseshoe made would know. Such actions damage the reputation of those who have the title of engineer granted to them by a professional body.

dishonoring the dead
Indeed - using them as an excuse to rant against the government and pretend the government murdered them all as some sort of elaborate plot is doing exactly that.

Questioning is worthy of a punishment by years of trolling
I only point out how deranged you are to other each time you write something worthy of it. You post a LOT but get the consequences of your former actions infrequently.

Your post was about job titles so it's perfectly ontopic to discuss the title you turkey slap into the face of every reader despite it being worthless and misleading outside of the office you work in.
In those credentials, am i currently employed? by Anonymous Coward · 2016-05-25 14:13 · Score: 0

Inquiring minds want to know; in fact might prefer this alternate me.
Who still works at the same place now as 2012? by Anonymous Coward · 2016-05-25 23:56 · Score: 0

Who still works at the same place now as 2012?
Clearly someone stuck in desktop support. The smarter people passed the IQ test and have switched jobs, maybe twice, since 2012 getting a 15-30% raise each time.
I suppose if you have a handicap or won't relocate, you might be stuck. That's a life choice. I do know a blind admin who doesn't plan to ever leave his job at a university. That makes sense.