Back in 2012, LinkedIn told its users that it had been hacked – to the tune of 6.5 million users. Well, it turns out, that was a tad bit shy of the truth. It turns out that the real number was 117 million email and password combinations. – roughly 18 times the number that they had admitted to. LinkedIn told the 6.5 million users to change their passwords, but not the other 110+ million users. The Fortune article has links to other sources if you want more information, but my recommendation is that you change your LinkedIn Password.
Tumblr says that it just discovered that hackers stole 65 million user email/password combinations in 2013. That is a long time to figure that out. I assume that is because hackers are now trying to sell those passwords. Since people reuse passwords on other sites and don’t change their passwords, it is likely that many of those passwords still work. The good news is that the passwords were hashed and salted, making it a LOT of work to decode them – but not impossible. This is a perfect example of companies being hacked and not even knowing about it. The only reason they found out is that someone is trying to sell the data.
On the lighter side, Katy Perry’s Twitter account was apparently hacked – or else she was having a REALLY bad day. Her 89 million followers were treated to a series of inappropriate hacks. This reminds me of the recent (a couple of years ago) hack of the DoD Twitter account. This just means that protecting your (Twitter or any other) account with just a password is likely not at all secure.
On the “Gees, that is a big hack” side, Myspace (remember them?) data is now coming up for sale. The dataset includes 360 million records, but only 111 million had users names in them. However, many of them had email addresses (which could also be a user name for another site if the user reused their password) and passwords. The total number of passwords in the dataset was 427 million. While I doubt anyone still uses Myspace, if that email/ password combination is used elsewhere …..
What is the take away from this?
- Even though it is tempting, do not reuse passwords on any account that you care about, even in the least (From Amazon to Twitter, banking to Email)
- Use two factor authentication on important accounts (such as banking or any account that stores your credit cards and allows the user to use them)
- Change your passwords periodically. Notice that most of the news above is about old hacks where the data is being resold now. If people changed passwords regularly (at least annually), then that data would be useless.
There is a web site called HaveIBeenPwned.com that allows you to enter JUST an email address to see if in their database of over a half billion breach records, that email address comes up. It is safe because all you enter is your email address.
Information for the LinkedIn hack came from Fortune.
Information for the Tumblr hack came from Motherboard.
Information for the Katy Perry Twitter hack came from Techcrunch.
Information for the Myspace hack came from Fortune.