How Older Cybersecurity Lapses Can Give Birth to Future Data Breaches

Since my last post on the subject (“LinkedIn Grapples with the Ripples of a 2012 Data Breach”), there have been several developments related to LinkedIn’s 2012 data breach. First, in May, LinkedIn announced it has finished the process of invalidating passwords at risk, specifically LinkedIn accounts that had not reset their passwords since the 2012 breach:

We’ve finished our process of invalidating all passwords we believed were at risk. These were accounts that had not reset their passwords since the 2012 breach. We will soon be sending more information to all members that could have been affected, even if they’ve updated their password. If you have questions about your personal account, please contact us here. —LinkedIn Official Blog

A second, more ominous post appeared on the LinkedIn official blog in June regarding the compromise of celebrity accounts on social media allegedly connected to the breach:

Recent reports of celebrity accounts being compromised on social media have resulted in questions about connections to the 2012 LinkedIn data breach. Here are the facts as we know them and as it relates to this most recent incident:

• There is no new data breach. Several weeks ago, additional names and passwords from the original data breach in 2012 were released and we took quick action to notify our members.

• At that time, we inactivated all the passwords on LinkedIn for members that hadn’t updated them since the 2012 incident and reached out to every member who had an account as of June 6, 2012 to let them know.

It was reported that the LinkedIn breach led to several compromised celebrity social media accounts, including Facebook founder Mark Zuckerberg’s Twitter and Pinterest accounts, and the Twitter accounts of Keith Richards, Katy Perry and Kylie Jenner. The fallout included a number of fake death announcements on compromised Twitter accounts, including of NFL commissioner Roger Goodell and actor and singer Jack Black. (Both men are doing fine.)

Such pranks may seem trivial, but as Jeremi Gosney’s June 1st article in Ars Technica points out, the real danger in the LinkedIn data breach is that the LinkedIn password data will become a wordlist that will make password cracking more effective, “providing new patterns to analyze to generate new rules, and new statistics for probabilistic password cracking.” Gosney astutely notes that when you “take both RockYou and LinkedIn [password data sets] and combine them with eHarmony, Stratfor, Gawker, Gamigo, Ashley Madison, and dozens of other smaller [password data sets from] public password breaches, hackers will simply be more prepared than ever for the next big breach.” Gosney also describes a few good practices to protect from password breaches and the greater sophistication of password cracking through the use of password datasets from prior breaches: (1) employ a password manager to generate random passwords for your accounts; (2) when a site announces it has been compromised, change your password as soon as possible; and (3) use multi-factor authentication or two-step verification for critical accounts.

By now, most companies understand the short-term and long-term potential costs of a data breach—as they relate to the company that has been targeted. Nonetheless, it’s worth remembering that, in the world of password data sets, even those breaches unconnected in terms of industry, actor, intent or success often become part of a larger constellation of information that allows hackers everywhere to launch more effective attacks in the future.