2012 LinkedIn hack
{{Short description|Data breach of LinkedIn}}
{{Use mdy dates|date=June 2012}}
{{Use American English|date=July 2018}}
The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.
Owners of the hacked accounts were unable to access their accounts. LinkedIn said, in an official statement, that they would email members with instructions on how they could reset their passwords. In May 2016, LinkedIn discovered an additional 100 million email addresses and passwords that had been compromised from the same 2012 breach.
History
=The hack=
The social networking website LinkedIn was hacked on June 5, 2012, and passwords for nearly 6.5 million user accounts were stolen by Russian cybercriminals.{{cite web |url=http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/ |title=An update on the hack |publisher=Linkedin |access-date=June 8, 2012}}{{cite web |title=Hackers steal 6.5 million passwords from LinkedIn |url=http://www.heraldsun.com.au/news/more-news/hackers-steal-65-million-linkedin-passwords/story-fn7x8me2-1226388063745 |access-date=June 8, 2012 |publisher=Herald Sun}} Owners of the hacked accounts were no longer able to access their accounts, and the website repeatedly encouraged its users to change their passwords after the incident.{{cite web |url=http://mashable.com/2012/06/06/linkedin-passwords-hacked-confirmation/ |title=LinkedIn Confirms, Apologizes for Stolen Password Breach |date=June 6, 2012 |publisher=Mashable.com |access-date=June 8, 2012}} Vicente Silveira, the director of LinkedIn,{{cite news |url=http://economictimes.indiatimes.com/tech/internet/linkedin-working-with-fbi-on-password-leak-of-its-members/articleshow/13999053.cms |title=LinkedIn busy to investigate |publisher=The Economic Times |access-date=July 20, 2012 |date=June 10, 2012}} confirmed, on behalf of the company, that the website was hacked in its official blog. He also said that the holders of the compromised accounts would find their passwords were no longer valid on the website.{{cite web |url=http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html |title=Update:Linked in confirms it is hacked |date=June 6, 2012 |publisher=Pc world.com |access-date=June 8, 2012 |archive-date=September 14, 2012 |archive-url=https://web.archive.org/web/20120914074910/http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html |url-status=dead }}
In May 2016, LinkedIn discovered an additional 100 million email addresses and hashed passwords that claimed to be additional data from the same 2012 breach. In response, LinkedIn invalidated the passwords of all users that had not changed their passwords since 2012.{{Cite web |url=https://blog.linkedin.com/2016/05/18/protecting-our-members |title=Protecting Our Members |publisher=LinkedIn |access-date=May 25, 2016}}
=Leak=
A collection containing data about more than 700 million users, believed to have been scraped from LinkedIn, was leaked online in September, 2021 in form of a torrent file after hackers previously tried to sell it earlier in June, 2021. {{Cite web |url=https://therecord.media/hackers-leak-linkedin-700-million-data-scrape/ |title=Hackers leak LinkedIn 700 million data scrape |date=September 22, 2021 |publisher=TheRecord.media |access-date=September 25, 2021}}
=Reaction=
Internet security experts said that the passwords were easy to unscramble because of LinkedIn's failure to use a salt when hashing them, which is considered an insecure practice because it allows attackers to quickly reverse the scrambling process using existing standard rainbow tables, pre-made lists of matching scrambled and unscrambled passwords.{{cite news |url=http://in.reuters.com/article/2012/06/06/linkedin-breach-idINDEE8550EN20120606 |archive-url=https://web.archive.org/web/20141106113330/http://in.reuters.com/article/2012/06/06/linkedin-breach-idINDEE8550EN20120606 |url-status=dead |archive-date=November 6, 2014 |title=LinkedIn suffers data breach-security experts |publisher=Reuters |access-date=June 8, 2012 |date=June 6, 2012}} Another issue that sparked controversy was the iOS app provided by LinkedIn, which grabs personal names, emails, and notes from a mobile calendar without the user's approval.{{cite news |url=https://www.forbes.com/sites/adriankingsleyhughes/2012/06/06/linkedin-ios-app-grabs-names-emails-and-notes-from-your-calendar/ |title=LinkedIn ios app grabs names, emails, notes- from your calendar. |work=Forbes.com |access-date=June 8, 2012 |first=Adrian |last=Kingsley-Hughes}} Security experts working for Skycure Security said that the application collects a user's personal data and sends it to the LinkedIn server. LinkedIn claimed the permission for this feature is user-granted, and the information is sent securely using the Secure Sockets Layer (SSL) protocol. The company added that it had never stored or shared that information with a third party.{{cite web |url=http://mashable.com/2012/06/06/linkedin-ios-app-privacy-issues-and-two-other-stories-you-need-to-know/ |title=LinkedIn iOS app privacy issues concern people |date=June 6, 2012 |publisher=Mashable.com |access-date=June 8, 2012}}{{Cite arXiv|eprint=1703.06586|last1=Gune|first1=Aditya|title=The Cryptographic Implications of the LinkedIn Data Breach|year=2017|class=cs.CR}}
Rep. Mary Bono Mack of the United States Congress commented on the incident, "How many times is this going to happen before Congress finally wakes up and takes action? This latest incident once again brings into sharp focus the need to pass data protection legislation." Senator Patrick Leahy said, "Reports of another major data breach should give pause to American consumers who, now more than ever, share sensitive personal information in their online transactions and networking ... Congress should make comprehensive data privacy and cybercrime legislation a top priority."{{cite web |url=http://www.techdirt.com/articles/20120606/17382119230/linkedin-passwords-leaked-congress-immediately-wants-to-do-something.shtml |title=LinkedIn Passwords Leaked... Congress Immediately Wants To 'Do Something!' |date=June 7, 2012 |publisher=Techdirt.com |access-date=June 8, 2012}}{{cite web |url=https://thehill.com/policy/technology/116310-lawmakers-concerned-by-report-that-linkedin-passwords-were-stolen/ |title=Lawmakers concerned by report that LinkedIn passwords were stolen |publisher=Hillicon Valley |access-date=25 July 2012 |date=6 June 2012 |first=Brendan |last=Sasso}}
Marcus Carey, a security researcher for Rapid7, said that the hackers had penetrated the databases of LinkedIn in the preceding days.{{cite news |url=http://www.mercurynews.com/business/ci_20795060/hacker-claims-have-stolen-millions-linkedin-passwords |title=Hacker claims to have stolen millions of passwords |newspaper=The Mercury News |access-date=June 7, 2012}} He expressed concerns that they may have had access to the website even after the attack.
Michael Aronowitz, Vice President of Saveology said, "Everyday hundreds of sites are hacked and personal information is obtained. Stealing login information from one account can easily be used to access other accounts, which can hold personal and financial information." Security experts indicated that the stolen passwords were encrypted in a way that was fairly easy to decrypt, which was one of the reasons for the data breach.{{cite press release |location=Margate, FL |url=http://www.prweb.com/releases/prweb2012/6/prweb9582548.htm |archive-url=https://web.archive.org/web/20151116173337/http://www.prweb.com/releases/prweb2012/6/prweb9582548.htm |url-status=dead |archive-date=November 16, 2015 |title=Over 6 million encrypted LinkedIn passwords leaked online |publisher=PRWeb |access-date=April 18, 2013}}
Katie Szpyrka, a long time user of LinkedIn from Illinois, United States, filed a $5 million lawsuit against LinkedIn, complaining that the company did not keep their promises to secure connections and databases. Erin O’Harra, a spokeswoman working for LinkedIn, when asked about the lawsuit, said that lawyers were looking to take advantage of that situation to again propose the bills SOPA and PIPA in the United States Congress.{{cite web |url=http://www.thenewstribe.com/2012/06/21/linkedin-sued-for-5-million-over-hacked-passwords/ |title=LinkedIn sued for $5 million over hacked passwords |date=June 21, 2012 |publisher=The News Tribe.com |access-date=June 23, 2012}}
An amended complaint was filed on Nov. 26, 2012 on behalf of Szpyrka and another premium LinkedIn user from Virginia, United States, named Khalilah Gilmore–Wright, as class representatives for all LinkedIn users who were affected by the breach.{{cite web |url=http://www.pcworld.com/article/2030129/linkedin-wins-dismissal-of-lawsuit-seeking-damages-for-massive-password-breach.html/ |title=LinkedIn wins dismissal of lawsuit seeking damages for massive password breach |first=Lucian |last=Constantin |agency=IDG News Service |publisher=PC World |access-date=April 3, 2012 |date=March 6, 2013}} The lawsuit sought injunctive and other equitable relief, as well as restitution and damages for the plaintiffs and members of the class.
=Response from LinkedIn=
LinkedIn apologized immediately after the data breach and asked its users to immediately change their passwords. The Federal Bureau of Investigation assisted the LinkedIn Corporation in investigating the theft. As of 8 June 2012, the investigation was still in its early stages, and the company said it was unable to determine whether the hackers were also able to steal the email addresses associated with the compromised user accounts as well.{{cite web |url=http://gadgets.ndtv.com/social-networking/news/fbi-to-help-linkedin-on-password-theft-228800 |title=FBI to help LinkedIn |date=June 8, 2012 |publisher=Gadgets.NDTV.com |access-date=June 8, 2012}} LinkedIn said that the users whose passwords are compromised would be unable to access their LinkedIn accounts using their old passwords.{{cite web |url=http://www.fox10tv.com/dpp/only_on_fox10/daily_dot_com/linkedin-gets-hacked |title=LinkedIn gets hacked |publisher=Fox10TV.com |access-date=June 8, 2012}}
Arrest and conviction of suspect
On October 5, 2016, Russian hacker Yevgeniy Nikulin was detained by Czech police in Prague. The United States had requested an Interpol warrant for him.{{cite news |last1=Treshchanin |first1=Dmitry |last2=Shchetko |first2=Nick |title=Exclusive: Digital Trail Betrays Identity Of Russian 'Hacker' Detained In Prague |url=http://www.rferl.org/a/russia-hacker-prague-identity-nikulin/28065492.html |work=RadioFreeEurope/RadioLiberty |date=October 20, 2016}}
A United States grand jury indicted Nikulin and three unnamed co-conspirators on charges of aggravated identity theft and computer intrusion. Prosecutors alleged that Nikulin stole a LinkedIn employee's username and password, using them to gain access to the corporation's network. Nikulin was also accused of hacking into Dropbox and Formspring, allegedly conspiring to sell stolen Formspring customer data, including usernames, e-mail addresses, and passwords.{{cite news |title=U.S. Charges Russian Hacker With Stealing LinkedIn Data |url=http://www.rferl.org/a/us-charges-russian-hacker-nikulin-stealing-date-linkedin-san-francisco-dropbox-formspring-/28068596.html |work=RadioFreeEurope/RadioLiberty |date=October 22, 2016}}
Nikulin was convicted and sentenced to 88 months of imprisonment.{{cite news | last=Stone | first=Jeff | title=LinkedIn hacker Nikulin sentenced to 7 years in prison after years of legal battles | date=September 29, 2020 | url=https://www.cyberscoop.com/nikulin-sentence-russian-cybercrime-linkedin-hacker/ | archive-url=https://archive.today/20200929233136/https://www.cyberscoop.com/nikulin-sentence-russian-cybercrime-linkedin-hacker/ | archive-date=September 29, 2020 | url-status=live | access-date=November 23, 2020 }}
References
{{reflist|30em}}
{{LinkedIn navbox}}
{{Hacking in the 2010s}}