QUICK: What was your LinkedIn password in 2012? OK, now think of every password you have set on every service you use and make sure that LinkedIn password isn’t re-used anywhere.
If ever you needed a reminder not to re-use passwords, here it is. We knew that LinkedIn got hacked in 2012, but at the time, we thought “only” 6.5 million passwords had been taken. Now, we learn the real figure was something more like 100 million-plus. That means your old LinkedIn password, and probably any derivations of it, should never be used anywhere else. You already knew that, but now you *really* know it.
A security researcher found an ad yesterday posted by a hacker offering a list of 167 million LinkedIn passwords for sale – for about $2,300. LinkedIn confirmed to Ars Technica, on Wednesday, that it is aware an “additional set of data has just been released.” It’s working to invalidate any passwords on the list that might still be in use. Because of duplicates, etc., the real number is probably far less than 167 million, but it’s certainly much larger than 6.5 million.
Of course, LinkedIn can’t help you with any other services where you might use that LinkedIn password. And you probably forgot it, anyway. Sadly, computers never forget these things. Even if you only signed up for LinkedIn once, back in 2012, and never used it again, the password you set at the time is now poisoned.
But there is no need to panic. No doubt, whoever had this list had wrung all the value out of it before offering it for sale – probably many times over, and by multiple whoevers. If it were really a gold mine, it wouldn’t be for sale at $2,300. Most of the user/pass combinations in there have no doubt already been tried at obvious places like Amazon and Bank of America.
Still, your job today is to think about all the critical sites you use — places where you keep your money (banks) and places where you spend money (Amazon, Expedia) — and make sure those passwords are clever and fresh.
Then let your mind wander to places where hackers might make bank by escalating through your personal, digital life: Hacking into your email account, for example, or even your Facebook account. Using your email, they could reset passwords at your bank. Using Facebook, they could trick friends into sending money, or just embarrass you.
Doing that kind of digital security inventory is a good exercise at any time. But today presents a great reminder.
“There needs to be a sense of heightened security every day when it comes to cyberattacks and thinking passwords could be stolen,” said John Peterson, Vice President of Enterprise Products at cybersecurity company Comodo. “Consumers, small businesses, and large enterprises all need to understand that criminals have established, working organizations with paid hackers, spammers and phishing experts who think of ways to steal and leverage passwords, bank records, social security numbers, company trade secrets and data, and credit card and financial data every minute of every day.”