In May 164 Mio email addresses and passwords were stolen from LinkedIn. Most users should have received a notice to reset their password. LinkedIn says it noticed the breach on May 17th in it’s mail nearly 10 days later (pdf): LinkedIn Email Breach Notice 26. May 2016. Considering their huge user base it might have taken a couple of days to send email notification to all users.
‘;–Have i been pwned?
So I headed over to https://haveibeenpwned.com/ an awesome and much needed site maintained by InfoSec researcher @troyhunt. HaveIbeenPwned.com brings more transparency for users who can now see if a breach affected them. Quick check if my login credentials for LinkedIn were part of the trove:
LinkedIn’s bread and butter is advertising. It has mastered the art of selling ads so they are seen (and hence can be monetized). They are among the most successful Internet platforms when it comes to engaging users and driving traffic:
- by default they email you every time somebody gives you a fake endorsement, and are using endorsements to drive user traffic back to the platform. Introducing endorsements had little value other then triggering a well intended notification to the user getting endorsed. But from a professional perspective one could never rely on whether an endorsement reflects actual ability in that field by that user. Though back then it wasn’t possible to “like” comments in your feed so maybe this was partly the users fault for abusing the endorsement to convey a positive feeling towards anther user without writing a full message just to say “I liked your comment”. (in any case LinkedIn thinks that just because I decided to endorse a specific person for 5 skills when visiting their profile I immediately want to also endorse a gazillion sets of additional 4 users per set for 1 skill at the time)
- They rolled out a messaging system that is no longer compatible with your email (notifications of messages have now no-reply address) forcing you to log-in to LinkedIn every time I want to read the whole message.
So it would have been safer if LinkedIn had immediately prompted me to change my password in my session that day (I’m logged in every day).
As a publicly traded company they have responsibility to create value for shareholders and employees. I understand their pressure. What I don’t understand: Why does it take 9 days to tell me that my user-credentials are actually publicly available information (not just for 9 days but since an actually unknown amount of time? Because we don’t actually know yet about really happened. All we’re told is that we should trust the company despite lack of information of what happened to do the right thing. This in fact is the second time we are asked to extend that trust (another data breach was in 2012).
Is it too much to expect a warning telling me to change my password immediately then telling me again once they’re done doing whatever it is?
I was lucky enough to stumble over the information long before LinkedIn emailed me and changed the password immediately. Though since the information comes from underground sources is it trustable or is it a hoax (my first reaction was it contains the same data as the 2012 breach so it’s probably a fake)? So after changing my password just in case am I now secure? Or are the hackers still in the network controlling some of the systems? If they are still there will I have now updated my password before they copied the data or afterwards?
I can’t know because LinkedIn hasn’t told me anything yet and all I have are rumours. I have nothing in fact to improve my security. A sitting duck waiting from the official word from LinkedIn.
Possible choices to improve your safety:
I’ll give you your best and your second best options in terms of security:
The best thing is to change all user-information in the account including your real name, password, delete as much of your information as you can find (posts, messages etc) and then deactivate the account). Also write them a written registered letter informing them that you want them to remove all your data without a way of recovery and threaten then to take legal actions if they fail that. If you get ignored, lawyer up. Here are the steps:
- Log in and try to destroy as much personal information LinkedIn stores of you in their database as possible. Wherever possible don’t just remove previously provided information (email, password, employment history, who endorsed you for what, published posts, messages sent/received, contacts, …). Overwrite it instead with nonsense or fake data. So for example change your name title, company etc. Also change all your mandatory information LinkedIn expects of a working account so it is actually not representing you. It is important to overwrite information in their database. Don’t just delete info LinkedIn has of you because most Internet platforms don’t delete user data. Instead data or actually whole accounts are marked as disabled or deactivated etc. The recent Ashley Madison hack showed that not only cheating spouses get hurt but also innocent users who signed up years ago while they were single … Remember YOU are the product when the service is free! Oh wait LinkedIn takes that to a whole new level! See next point).
- Actually with LinkedIn even you pay for a Premium subscription, the default settings ensure that LinkedIn would still send you endorsements notifications by email asking you to log in every time somebody endorses you. The goal is to have you on their platform and consume their adds as much as possible. The purpose of most features like this (not just linkedIn) is to drive you back to their site to consume advertisements.
- Compared to Xing (and Viadeo) you can see that these 2 less successful platforms have as their only competitive advantage their geographic and specific language focus (Xing for Germans and Viadeo for Francophone users). But both Xing and Viadeo are only playing catch up when it comes to features. It seems their internal design departments nowadays do nothing other than copy LinkedIn’s model. Anyway the reason why these other systems are in the long run walking-dead and their only long-term bet is being gobbled up by someone like LinkedIn or a bigger firm because they totally missed the boat on innovation. Anyway back to security:
- So change your data to fake information as much as you can because simply deleting info, just marks the field in the database as “deleted” but doesn’t actually remove the data. So you might chose to deactivate the account but this will actually not delete anything from the system but only mark things as “deactivated” (but all your info is still in their system if you only deactivate the account).
- Change your email address LinkedIn currently has stored to a new address. Preferably use some throwaway account and not one of your primary addresses you still plan to use in future for business.
- In case LinkedIn asks you to confirm the address change with your new email details. Ensure it is an actually existing registered address (with some throwaway email provider). Then make sure LinkedIn only uses this one email address as your email address in future. If you have more than one address stored with LinkedIn, then change them all to fake addresses. Optional: after completion (after completing step #10) also delete the now fake email address so that any email notification sent by the LinkedIn system will bounce.
- Non-optional if you ever provided a phone number: You want to remove it by overwriting the info with a fake one. Do it properly though and don’t just make up some imaginary number. Instead increase the plausibility of your actual authenticity (in the eyes of the LinkedIn system) of your now fake account by also enabling 2-factor authentication: Buy a new throwaway pre-paid SIM. Enable 2 factor authentication with this new SIM. Once you finished with the below steps destroy the SIM (you might need it in #10). Now you have created proof that your new user is human and exists in the eyes of the LinkedIn system. Unfortunately anonymous purchase is becoming increasingly harder in some EU countries under the pre-text of anti-terror or other strongly worded reason to maximize negative emotions, to spread FUD among the general public. Telecom industry is pretty good at lobbying governments (and despite their constant complaints about diminishing returns they have huge pockets and a century of experience in lobbying.
- Provided that you properly compartmentalize your email user-identities (in my case linkedin@ for LinkedIn) for your different type of accounts, then the damage from a breach should be limited and shouldn’t hurt so much if you lose a specific alias due to a breach.
- Now go to settings and set your profile to “non-searchable” by external search engines.
- Any Internet platform tracks the time and IP address from your last login. Your IP address would reveal your physical geographic location. We want to overwrite these values by logging in one last time over a VPN or using Tor and deactivate your LinkedIn account in the settings.
- If you’re really paranoid and want to obfuscate the path between the email providers you could also set up the fake email addresses behind tor to mask your IP address so that nobody even in these email providers will find out from which IP address they were actually created from (e.g. this could be useful if you want to stage the impression that your account was hacked then defaced though it will also mean
- Once the deactivation is confirmed and you ensured that the deactivation is active then also physically destroy your pre-paid SIM and deactivate your email address (or of it was a throwaway go to the email provider and deactivate the account)
A company that has failed to notify me in due time (twice) has broken the trust and agreement we had. LinkedIn has done it now more than once. It’s up to the reader to decide if they want to continue trusting that word or not.
The popular opinion among (non-tech savvy) privacy advocates is a non-technical advise for non-technical masses: “Lawyer up and force the platform to delete all info they have on you!” This will now take another 3-18 months and does nothing more than put money into the pockets of Loophole Louie but still no guarantee. Remember in the end you’ll still need to trust them that they’ve finally deleted your account data (despite the fact that they have otherwise no problems withholding information even if it would be in the interest of your security). Legal actions alone are still better than nothing, though because they’re trust based I’d personally only take this route after having already rendered all my personal data useless.
The second best option is for all those who still find a use-case for LinkedIn (including myself) and aren’t yet ready to give up on it:
- Change your password.
- Change your primary email address to a new previously unused one. If you haven’t yet used a dedicated email address for LinkedIn then make one now. This is also useful when filtering your emails and get better control over some of the recruiter SPAM you will receive without doubt.
- Note the number of additional email addresses LinkedIn has of you and then remove them all. Afterwards recreate the same number additional email addresses you had before but using throwaway accounts. (Then delete these if you wish once you have saved them successfully to their system).
- Enable 2 factor authentication: Use an anonymous SIM where it doesn’t matter if you want to throw it away next time LinkedIn gets breached! See also #7 above.
- Don’t publish your email address you use to log into LinkedIn on your profile summary or other places. From a security perspective it is harder to break your account if both the login name (the email) and your password combination aren’t known to an attacker. If the login name is public knowledge all the attacker needs to guess is your password (again if the attacker doesn’t know where to send you a Phishing email to trick you into handing over the password then a secret email only known to you provides an additional protective layer).
- Assume the worst and ensure that any of your other accounts you might have used the same password/email credentials are also updated (in fact also assume that these accounts are now breached if you were careless enough to re-use the login credentials).
Users on the platform often rant about fake profiles. You can normally spot fake profiles from far because:
- not enough info is provided
- has very few connections
- the picture looks fake and often too “perfect”,
- has nothing to do with your domain,
- their first/last name actually represents a company not an individual, etc …
Usually it is a combination of above parameters that raises the alarm bells.
But these fakes aren’t the ones I care about because they’re obviously SPAM and so most of them never get to enter my network to begin with. What I’m worried about more is what (who) else is lurking.
E.g. I literally know a couple of profiles of individuals who meanwhile deceased but are still active LinkedIn account holders and LinkedIm suggests them as possible people I might want to add.
These accounts are sitting ducks and the perfect launching pad for an attacker to plan social engineering attacks from. I assume many were downgraded meanwhile to non-premium status after their credit cards finally expired (years later). Also there are quite a couple of stale duplicate accounts from users forgot/lost login credentials and who re-register with the same name and new email address.
Invite only contacts you personally met
This is “Security” advise is useful for a minority of users who want to build a very select and protected network. I’d go as far to claim that these users don’t even have much value from LinkedIn because they can achieve the same thing with a pre-digital Rolodex with their 50 select contacts and interact with a different person in their network every weekend in a round-robin fashion.
But it ignores the professional nature of most of the people that LinkedIn actually gets their revenues from (accounts who usually handle business development, recruitment, marketing etc).
Leads are why people come to LinkedIn. Jobseekers often reach out to me without knowing me and that is OK as long as they’re in my professional domain. Assuming that 20% of the number of users affected by the breach are most likely dead, 15% are inactive because they realized it isn’t for them after signing up, 30% never log in because they’re using LinkedIn only for looking for a job and connecting with recruiters, … and so on. Even with a conservative calculation we get a massive number of accounts where we can actually no longer guarantee their authenticity. Are Alice and Bob which have just sent an invite real people or are we being profiled for a targeted social engineering attack by these accounts once we have added them?
Prowl is a Python script written by Matthew Pickford which can identify breached emails accounts for Social Engineering attacks thanks to haveibeenpwned.com. You may want to run Prowl on specific users email addresses or all users from a specific company who have been pwned to decide yourself if these accounts are trustworthy.
Some questions that we should try to answer (and thanks to the “haveIbeenPwned?” project we can find the answer by comparing the data troves) are:
- Did LinkedIn actually deactivate all accounts that were part of the first breach in 2012 and which have failed to change their passwords since?
- Did they implement a little banner on top that annoyed these users to immediately change their password in case they haven’t yet reacted to the mail (maybe it ended up in SPAM or maybe it took a week to message all of the users over SMTP (deferred mails etc)).
- Does LinkedIn act on bounced emails and postmaster errors when they contact their users in order to keep their data set healthy and accurate? E.g. emails they send to users from email@example.com should IMO be checked for bounces as besides the security benefit it also affects a users ability to respond to changed ToS. If bounced messages are ignored and stale accounts are just waiting to be taken over it reduces the overall safety of all users.
Free Bonus LinkedIn Math Puzzle
If LinkedIn earned a total of US$2.99 billion in revenues (2015) and counts a total of 106 million active users (counted in March 2016), and 30% of those have not yet changed their password (let’s call them the “Walking Dead”), then:
- How many dead walkers are currently among the LinkedIn user base?
- What is the monetary value of each user to the company in terms of revenue in US$ ?
Data is the new oil – I get it. But in our times even outdated garbage data (which automatically becomes valuable data to an attacker) seems to add positively to the bottom line of some businesses.
Discuss this on hackernews:
Valbonne Consulting provides Research & Consulting for emerging technologies in Internet/Web of Things (WoT/IoT/M2M) and Emerging-Tech. We specialise in decentralisation, security and privacy. We work across a variety of traditional industry verticals (Telecommunications, Automotive, Energy, ...). We support Open Source and technologies built on open standards.
Passionate about Open Source, GNU/Linux and Security since 1996. I write about future technology and how to make R&D faster. Expatriate, Entrepreneur, Adventurer and Foodie, currently living near Nice, France.