The LinkedIn hack that happened on June 5, 2012, involved a breach where hackers stole the passwords of around 6.5 million user accounts. Yevgeniy Nikulin was later found guilty of the hack and was sentenced to 88 months in prison.
After the attack, users who were affected couldn’t access their accounts. LinkedIn announced that they would send emails to these users, explaining how they could reset their passwords. In May 2016, LinkedIn found out that the breach had actually impacted an additional 100 million email addresses and passwords from the 2012 incident.
History
Hack
In 2012, LinkedIn, the popular social networking site, was hacked and nearly 6.5 million user passwords were stolen by Russian cybercriminals. As a result, many users couldn’t access their accounts and LinkedIn strongly urged everyone to change their passwords after the incident.
Vicente Silveira, a LinkedIn director, confirmed the hack on the company’s official blog, stating that affected users would find their passwords no longer worked and would need to reset them.
In 2016, LinkedIn uncovered an additional 100 million email addresses and passwords that had also been compromised in the same 2012 breach. As a precaution, LinkedIn deactivated the passwords of users who hadn’t changed them since the hack occurred.
LinkedIn Data Leak
In 2021, data from over 700 million LinkedIn users was leaked online in the form of a torrent file. This information was believed to have been scraped from LinkedIn. Before the leak, hackers had attempted to sell the data in June 2021.
Reaction
Internet security experts pointed out that the stolen passwords were easy to crack because LinkedIn didn’t use a security measure called “salt” when scrambling them. This made it easier for attackers to reverse the process using tools like rainbow tables which are lists of scrambled and unscrambled passwords.
Another issue that caused concern was LinkedIn’s iOS app. It was discovered that the app collected personal information such as names, emails and notes from users’ mobile calendars without their consent. Skycure Security experts revealed that the app sent this data to LinkedIn’s servers. In response, LinkedIn said that users had given permission for this feature and assured that the information was sent securely using the Secure Sockets Layer (SSL) protocol. The company also emphasized that they never stored or shared this data with third parties.
Rep. Mary Bono Mack from the U.S. Congress criticized the repeated data breaches, saying, “How many times will this happen before Congress takes action? This incident highlights the urgent need for data protection laws.” Senator Patrick Leahy echoed her concerns, stating, “Another major data breach should make American consumers reconsider sharing personal information online. Congress must prioritize passing data privacy and cybercrime laws.”
Security researcher Marcus Carey from Rapid7 mentioned that the hackers had accessed LinkedIn’s databases days before the breach was discovered. He also worried that they might have had continued access to the site even after the attack.
Michael Aronowitz, Vice President of Saveology, emphasized the broader problem, saying, “Hundreds of sites are hacked every day and personal information is stolen. If login details from one account are taken, they can be used to access other accounts, including those with personal and financial information.” Security experts pointed out that LinkedIn’s passwords were encrypted in a way that made them relatively easy to crack contributing to the severity of the breach.
Katie Szpyrka, a long-time LinkedIn user from Illinois, filed a $5 million lawsuit against the company. She claimed LinkedIn failed to uphold its promise to secure user connections and databases. When asked about the lawsuit, LinkedIn spokesperson Erin O’Harra responded, saying some lawyers were trying to use the situation to push forward SOPA and PIPA bills in Congress.
Later, on 26, 2012, an amended complaint was filed on behalf of Szpyrka and another LinkedIn premium user, Khalilah Gilmore-Wright, from Virginia. They represented all users impacted by the breach. The lawsuit sought changes to how LinkedIn handled security, along with financial compensation and damages for those affected.
LinkedIn’s Response
After the data breach, LinkedIn quickly apologized and urged all users to change their passwords right away. The Federal Bureau of Investigation (FBI) helped LinkedIn investigate the incident. By June 8, 2012, the investigation was still in its early stages and LinkedIn couldn’t confirm whether hackers had also stolen the email addresses linked to the compromised accounts. LinkedIn assured users that those with compromised passwords would no longer be able to log in with their old passwords.
Arrest & Conviction of Suspect
On October 5, 2016, Russian hacker Yevgeniy Nikulin was arrested by Czech police in Prague after the United States requested an Interpol warrant for him.
A U.S. grand jury indicted Nikulin, along with three unnamed accomplices, for aggravated identity theft and hacking. Prosecutors claimed that Nikulin had stolen a LinkedIn employee’s login details to access the company’s network. He was also accused of hacking into Dropbox and Formspring and trying to sell stolen customer data including usernames, email addresses and passwords. Nikulin was eventually convicted and sentenced to 88 months in prison.
