In 2012, LinkedIn experienced a major security breach when hackers accessed the platform on June 5. About 6.5 million user passwords were stolen during this incident. The hacker Yevgeniy Nikulin, was later caught and received a prison sentence of 88 months.
Those whose accounts were affected couldn’t log in. LinkedIn responded by promising to send affected users an email with steps to reset their passwords. Four years later, in 2016 LinkedIn found out that the same breach had also exposed another 100 million email addresses and passwords.
History
Hack
In 2012, the social media site LinkedIn was hacked on June 5, leading to the theft of passwords for about 6.5 million accounts by hackers from Russia. Users with compromised accounts found themselves locked out and were advised by LinkedIn to change their passwords. Vicente Silveira a director at LinkedIn, confirmed the hack on the company’s official blog and mentioned that the passwords for these accounts were no longer valid.
Four years later in May 2016, LinkedIn found out that an extra 100 million email addresses and passwords, which were also from the 2012 incident had been compromised. As a precaution, LinkedIn reset the passwords for all users who hadn’t updated their passwords since that year.
Leak
In September 2021, data from over 700 million LinkedIn users was leaked online through a torrent file. This information was believed to have been collected by scraping LinkedIn’s website. Earlier in June 2021, hackers had attempted to sell this data.
Reaction
Internet security experts criticized LinkedIn for not adding extra security measures like salting, to their password encryption process. This oversight made it easier for attackers to decode the passwords using commonly available tools. Another controversial issue was LinkedIn’s iOS app, which reportedly collected calendar data from users’ mobile devices without explicit consent though LinkedIn stated this feature was secure and user-approved.
U.S. Congress members, including Rep. Mary Bono Mack and Senator Patrick Leahy expressed frustration over recurring data breaches and emphasized the urgent need for stronger data protection laws. Marcus Carey a security expert at Rapid7, noted that hackers had accessed LinkedIn’s database shortly before the breach was discovered raising concerns about ongoing unauthorized access.
Michael Aronowitz from Saveology highlighted the broader issue of frequent hacks across various sites noting that stolen login credentials could lead to unauthorized access to additional sensitive accounts.
In response to the breach, Illinois resident Katie Szpyrka filed a $5 million lawsuit against LinkedIn, accusing them of failing to adequately protect user data. LinkedIn’s spokesperson Erin O’Harra suggested that the lawsuit might be an opportunity for lawyers to push for controversial internet regulation bills like SOPA and PIPA.
An amended lawsuit was later filed representing both Katie Szpyrka and another LinkedIn user Khalilah Gilmore-Wright from Virginia. They sought legal remedies for all affected users, including compensation and enforced improvements in LinkedIn’s security practices.
Response to the Data Breach
After the data breach was discovered, LinkedIn quickly apologized and urged its users to change their passwords right away. The company also collaborated with the Federal Bureau of Investigation to look into the theft. As of June 8, 2012, the investigation was still in the initial stages and LinkedIn was unsure if the hackers had also stolen the email addresses linked to the affected accounts. LinkedIn confirmed that users whose passwords had been compromised would not be able to log into their accounts with their old passwords.
Arrest & Conviction of Suspect
On October 5, 2016, Yevgeniy Nikulin a Russian hacker was arrested by the Czech police in Prague after the United States issued a warrant for him through Interpol.
A U.S. grand jury later charged Nikulin and three others with serious crimes including identity theft and breaking into computer networks. He was accused of stealing login information from a LinkedIn employee, which he reportedly used to access LinkedIn’s network. He was also charged with hacking into other companies like Dropbox and Formspring and he allegedly planned to sell stolen data from Formspring, including usernames, email addresses and passwords.
Nikulin was found guilty and sentenced to 7.3 years in prison. (88 months)
