Occasionally, the infosec headlines are dominated by one story. This week it was LinkedIn’s turn with the news that 167 million hacked accounts had been put up for sale. That’s a sizeable data breach by any reasonable measure, in fact it’s one of the biggest we’ve seen to date, larger than even Adobe back in 2013 which was a “mere” 152 million. But unbeknownst to us at the time of the Adobe incident, those 167 million LinkedIn accounts were already in the hacker’s hands. Actually, we knew about an incident already, but we thought it was an issue of just 6.5 million password hashes and no corresponding email addresses. But we were wrong.
Here’s what we know today: news of the much larger breach started to trickle out a few days ago when the data was up for sale at a grand total of 5 Bitcoins. That’s about US$2.2k for the whole lot and this was via a website behind a Tor hidden service that’s notorious for trading in not just this class of data, but other commodities like drugs and weapons. The seller has a very positive rating from numerous other sales so that in itself is an indicator of the legitimacy of the data. A reporter then sent me a sample of almost a million records and in conjunction with some subscribers of my Have I been pwned data breach service, we established with a very high degree of confidence that the data was indeed legitimate.
But why are we only hearing about this now? Isn’t it a bit unusual? Not really, we’ve seen this pattern play out many times before. For example, in November we saw the Moneybookers and Neteller data breaches come to light. Here’s a combined 8 million records and they were hacked out of the gambling sites as far back as 2009 and 2010. When news of the incident hit last year, the parent company that has since acquired them saw their stock price dip to the tune of £300M pounds before bouncing back. They had no idea the sites had suffered these data breaches and it all came as quite a shock.
The thing about incidents like LinkedIn’s and the gambling sites is that there’s no guarantee the data will be exposed ever, let alone at a point in time close to the attack itself. In fact, for that matter, the organisation that was hacked may well go on blissfully unaware of the incident for, well, perpetuity. A mere six months ago, none of the three different services I’ve mentioned here knew that millions of their user’s details were in the hands of hackers (not just the “small” hash set LinkedIn knew about).
All of this got me thinking – how many other sites are there that we use day in, day out that have already been plundered yet we just don’t know it? If we go by the statistics alone, it’s a non-zero number that this applies to, we just have no idea which ones they are.