In the July 10, 2012 edition of this blog I wrote about the 2012 LinkedIn password breach. A month earlier, LinkedIn confirmed that a Russian attacker exploited a website vulnerability and downloaded 6.5 million encrypted passwords. You can read my old post to see why that's a problem.
Well, some gifts just keep on giving! Now, nearly 4 years later, a newly posted password dump from this same breach was advertised for sale on a dark web site. Except that information on over 167 million accounts were for sale! Of those, over 117 million had both the email and password. Slightly different math!!!
So why is this a problem? Actually it's an old problem and a new problem. Here are the key issues:
- Poor password choices - once again, this latest set of stolen passwords shows weak passwords - the top five found passwords were: 123456 (used on over 1 million accounts!), linkedin, password, 123456789 and 12345678
- Password reuse - since people have accounts on so many sites that need passwords, they tend to reuse them. The one million people who used 123456 as their LinkedIn password likely reuse that on other sites.
- Back to Work - are some of these same poor password choices being made on work systems? Or are some work passwords being used on sites like LinkedIn and potentially included in this breach?