LinkedIn breach could be bigger than first thought

THE NUMBER of LinkedIn passwords compromised in a recent data breach could be far higher than the 6.5mn initially reported, according to security firm Imperva.

Imperva claims that even though only about 6.5 million encrypted passwords have been posted online, it’s likely the unknown hacker has far more data, reports our sister publication V3.

“We believe the size of the breach is much bigger than the 6.5 million accounts,” wrote Imperva researcher Rob Rachwald in a blog post.

“Most likely, the hacker has figured out the easy passwords and needs help with less common ones, so the hacker only published the more complicated ones. Most likely, many of the passwords haven’t been revealed.”

Imperva also highlighted the simplicity of the disclosed passwords as evidence that the damage done during the hack could be worse than first thought.

“The list doesn’t reveal how many times a password was used by the consumers. This means that a single entry in this list can be used by more than one person,” wrote Rachwald.

News of the alleged breach broke on Wednesday when Norwegian website Dagens reported 6.5 million encrypted LinkedIn passwords had been posted on a Russian hacker site.

In related news, a pair of Skycure researchers revealed details of a data-sharing issue with LinkedIn’s iOS app, showing the app sent users’ calendar information to the company’s servers without warning.

LinkedIn confirmed a data breach did occur on Wednesday, though it refused to clarify the size or scope of the hack.

“We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts,” read the blog post.

“We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts.”

Related reading

aidan-brennan kpmg
The Practitioner