If you’re a security professional, you probably remember the 2012 LinkedIn hack. It was sort of a perfect storm of media-friendly factors: Russian hackers affecting a well-known social media service, and not just stealing users’ passwords, but literally locking them out of their accounts. Then there was the large number of users affected—six million people, which was, and still is, a huge number of records. Lastly, there was the aftermath, with LinkedIn security frantically pleading with users to change their passwords, and the revelation that their encrypted passwords had not been salted.
All in all, it was pretty bad time. Now, four years after the fact, one last devastating piece of information has surfaced itself. The total number of breached users was never just six million—it was 167 million, and their records are now all for sale.
Basic LinkedIn Security Failures Resulted in Massive Leak
At the time, the original 2012 LinkedIn security breach represented a two-part failure of security. There was a failure in terms of defense, but also in terms of basic password storage, and both failures represented fundamental oversights in terms of information security.
Full disclosure: LinkedIn never quite went as far as officially revealing the attack path that its attackers took. Initial reports strongly hint at a SQL injection attack, however. LinkedIn did settle a class-action lawsuit, stemming from the breach, which specifically referenced SQL in its brief. Thus, we might safely assume that SQL was involved.
Enough has been written on SQL attacks for most to know that they depend an elementary mistake. When developers write applications, they need to specify that certain inputs can’t accept code. Specifically, most users, when they see input fields labeled “name,” “address,” “phone number,” etc., they’ll put in relatively predictable strings of numbers and letters. Bad actors will try to put in SQL code, designed to interact with the database that the input is connected to. This can allow the bad actors to take control of an application, connect malware, and steal personal information.
SQL injection attacks weren’t new in 2012. They’ve long been known as one of the easiest ways for attackers to gain control of targeted applications. They’re so easy to pull off that an experienced hacker once claimed that he could use a SQL vulnerability to hack the NASDAQ in ten minutes. It isn’t a great sign when companies fall victim to SQL injection, but it’s understandable. Many applications have so many potential inputs that developers can’t cover them all with sanitizers in time to meet production targets, and oftentimes vulnerabilities will appear in third-party plugins.
Salting is a Fundamental Aspect of Password Security
The other problem, involving password storage, is much more concerning. LinkedIn didn’t salt their passwords before they hashed them. “Salting” is a technique that gets around the fact that many users have terrible passwords. We see this in how, year after year, “123456” is still the most common password found in breaches. In a leak of six million passwords, it’s very likely that several users will have the pass word “123456,” or “batman,” or “password,” or what have you.
This is tricky, because a hashing algorithm will always produce the same output using the same input. Hackers can easily decode large parts of a breach by pre-computing a list of these passwords and matching their output hashes with the hashes in the document. Salting solves this problem by adding random numbers to each password prior to hashing. Let’s say that two users both have “batman” as a password. Salting turns one password into “31415batman,” and the other password into “271828batman.” Both passwords are now distinct, and thus immune from pre-computed dictionary attacks.
Sanitizing your inputs and salting your hashes are considered to be two fundamental steps for information security. LinkedIn appears to have performed neither step. What this means for its users isn’t entirely clear The hundred-million-plus records that have just been released have nearly all been cracked, but they’re also over four years old. Some of this data might still be valuable to hackers, but the question is, how much? As for LinkedIn, not much is certain—except for the high likelihood of another lawsuit.
Basic security measures are a strong first line of defense, but they can still be circumvented. To learn more about how to strengthen your perimeter and eliminate malware, contact SentinelOne today.