Passwords of the (not) rich and famous
Most of us love to have something in common with the rich and famous: acquaintances, clothing, trips to exotic locations, and passwords.
Well, maybe not that last point.
But, yes, this has really happened. Both Mr. Zuckerberg and myself were included in the 2012 LinkedIn breach. And the hacking of his Twitter and Pinterest accounts this weekend shows why a data breach that happened years ago is still a red-hot security issue today.
Just the password facts, just the facts.
LinkedIn, the employment-focused social media network, had information on a reported 6.5 million users and their passwords hacked in 2012. Apart from a few lawsuits against LinkedIn from upset premium account users, not much happened at that time. But the story and the data leak did not die. It is now believed that the leak encompassed 167 million accounts, virtually all of LinkedIn members at the time. Even worse, for 117 million of these accounts, both the passwords and emails were available.
This spring, some entrepreneurial hackers put the full list up for sale for a mere 5 bitcoins (about Euro 2,500). The LinkedIn response was to send users (such as myself) who had not changed their passwords from 2012, the following notice last month.
This policy forced me – and presumably Mr. Zuckerberg – to change our LinkedIn passwords. And that was it. Game up for hackers, right? Absolutely wrong.
Recycle beer bottles, not passwords
Recycling is wonderful for the environment, it is terrible for password management. Using the same or similar passwords for different online accounts is a recipe for disaster as evidenced by Mr. Zuckerberg.
His Twitter and Pinterest accounts were hacked by Our Mine Team. The alleged password for his LinkedIn account was a complex “dadada” – a straight six-character, lower-case password.
The key vulnerability is that people, just like Mr. Zuckerberg, are creatures of habit that reuse complete passwords and, more intriguingly, reuse parts of passwords across multiple sites. The old, outdated dump of LinkedIn data was the precise key needed by the hackers to uncover and exploit this.
One man’s data dump is another hacker’s treasure
As the leak spilled into the public domain, the list has been scrutinized – by legitimate analysts and those on the dark side – for clues about password selection. They parse the list for trends in password length, selection of alpha-numerical characters, and capitalization. For starters, a whopping 1,135,936 LinkedIn members used a simple “123456” as a password – and they’re not alone!
Thanks to his Facebook connection, Mr. Zuckerberg is a more visible target than I am. Once hackers managed to find out that “dadada” was the Zuckerberg password for LinkedIn, we can assume that they tried this password on other social media sites. If or when that did not work, they most likely parsed the password into its individual elements and looked for trends. An “eqeqeq” or “fsfsfs” was likely next on their list.
Even if your name is not Mark Zuckerberg, passwords and accounts can be hacked. If there is a breach, do change that password — but don’t recycle either passwords or its primary components. To make thinks easier you might just want a password manager, like the Avira Password Manager. Two-factor verification is also something you should consider. And remember, that breached password is radioactive and has a long half-life — don’t touch it again.