LinkedIn 2012 Data Breach May Have Hit Over 100 Million
May 19 2016 - 7:25PM
Dow Jones News
By Robert McMillan
After hackers stole usernames and passwords from LinkedIn Corp.
in 2012, the company spent close to $1 million on an investigation
that determined that 6.5 million users had been affected.
This week, LinkedIn acknowledged that it underestimated the
impact -- by more than 100 million users, whose passwords may have
been compromised for years.
The new disclosure, in a LinkedIn blog post on Thursday, came
after a hacker claimed to have a database of 117 million usernames
and passwords. The professional social network, which now has 433
million members, said it would force users who hadn't reset their
passwords since 2012 to do so.
For companies like LinkedIn, responding to a data breach
represents a difficult balancing act. Computer intrusion is a murky
business and data-breach investigations don't always reveal the
entire picture, said Charles Carmakal, vice president with the
Mandiant unit of FireEye Inc.
Mr. Carmakal said it isn't unusual for companies to fail to
realize the full extent of a hack. "It could be that the hackers
cleaned up their trails that they were there," he said. "We see
lots of organizations that lose terabytes of data that don't notice
that it has happened."
In 2012, LinkedIn knew that at least 6.5 million passwords had
been compromised because that many had been released on a Russian
hacking forum. Then, the company faced a choice between security
and convenience. It could have forced all of its then-161 million
members to reset their passwords, but that could have frustrated
many users or made them unhappy.
This week, security experts said LinkedIn would have been better
off with unhappy users, and showing the world that it was serious
about security.
LinkedIn's decision to conservatively estimate the size of its
2012 breach was unusual.
"Most companies over-notify," said Chris Hoofnagle, a University
of California, Berkeley, professor who studies privacy and data
breach laws. "That's what's a little strange about this one."
LinkedIn spokesman Hani Durzy defended the company's 2012
actions. "We made the decision to invalidate the accounts that used
any of the 6.5 million passwords released in 2012 based on the
information we had available at the time," he said.
In that sense, LinkedIn may not be in a unique position. "It's
something that a lot of organizations struggle with," Mr. Carmakal
said. "In general, most victims will only publicly disclose data
based on evidence and facts that they have."
--Deepa Seetharaman contributed to this article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
May 19, 2016 19:10 ET (23:10 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.
Linkedin Corp. Class A (NYSE:LNKD)
Historical Stock Chart
From Jun 2024 to Jul 2024
Linkedin Corp. Class A (NYSE:LNKD)
Historical Stock Chart
From Jul 2023 to Jul 2024