Advertisement
Motherboard

Hacker Site Removes 117 Million LinkedIn Passwords After Legal Threat

After new leak of more than 100 million user passwords, the company is trying to limit the damage in any way it can.

by Lorenzo Franceschi-Bicchierai
May 19 2016, 5:02pm

Image: Nan Palmero/Flickr

LinkedIn has successfully persuaded a hacker website to remove user passwords exposed during a data breach in 2012, which have resurfaced on the dark web this week.

The website, called LeakedSource, claims to have the full database of leaked user data, and has made it searchable to people who agree to pay a subscription fee ranging from $2/day to $265/year.

After LinkedIn's lawyers sent a cease and desist letter, however, LeakedSource removed the passwords, both hashed and cracked, from its search results.

"We received a typical cease and desist letter from LinkedIn's lawyers and even though we think they're blowing steam out their ass, for the next couple of days we are going to censor hashes from that particular data set while we consult with our legal team from OUR jurisdiction," the site's operators wrote in a statement, defining the removal of the passwords as censorship.

"Even though we think they're blowing steam out their ass, for the next couple of days we are going to censor hashes from that particular data set"

LeakedSource got ahold of the data after a hacker put it up for sale on the dark web earlier this week. The dataset contains at least 100 million emails and passwords of LinkedIn users.

LinkedIn has started to reach out to the affected users to get them to reset passwords, and is now also trying to limit the damage with legal threats.

"LeakedSource's copying and displaying of LinkedIn members information without their knowledge or permission is against the law," a lawyer for LinkedIn wrote in the letter, who argued that the site was running afoul of the US anti-hacking law Computer Fraud and Abuse Act, and the California anti-hacking statute "for its ongoing access to, use, and disclosure of LinkedIn member data without LinkedIn's or its members' authorization."

A screenshot of the cease and desist letter that LinkedIn emailed to LeakedSource.

"We're taking legal action to stop the distribution of stolen data," a LinkedIn spokesperson told Motherboard in an email. "We've also been working with law enforcement going back four years."

The leaked credentials come from a data breach that LinkedIn suffered in 2012. Back then, the hackers behind the breach only posted 6.5 million encrypted passwords online, and it wasn't clear whether the incident affected more than the people whose passwords were leaked. As it turned out, the hack was much worse than anybody thought. The hacker who's selling the data now says it contains 117 million emails and password combinations.

LeakedSource hinted that US law doesn't apply to the site, and also attacked and bashed LinkedIn for the way it handled the 2012 breach, as well as its response to the recent leak of more credentials.

"LinkedIn says they're working with law enforcement now. It's nice to know they gave the crooks a 4 year head start before looking into the incident," the site's statement read.

Explaining why they decided to remove the passwords, one of the operators behind the site told Motherboard that "LeakedSource originally believed that LinkedIn acted responsibly and forced a full password reset in 2012 and were aware of the scale of the breach."

"We're taking legal action to stop the distribution of stolen data."

The operator or operators also defended themselves, saying they believe they didn't commit any crime. In response to the accusation of breaking anti-hacking laws, LeakedSource said they didn't access any computer without authorization, and have no intent to either defraud or extort money.

"No extortion here, we would give you our data for free if you asked for it," LeakedSource wrote.

LeakedSource's terms of service nominally allow subscribers to search only for their own data, but in practice subscribers can search data on anyone. In the case of the LinkedIn data, a subscriber was able to query the database and see any victim's email, encrypted or hashed password, and in many cases the actual decrypted password in plaintext.

"LeakedSource has been online for mere months. We've accumulated hundreds of databases, not through a miraculously successful spate of hacking attempts, but by scouring the internet and dark web for data" the site's operator told me. "Some of what we find is very new, some is fairly old. We're scavengers, not hackers—we don't get to pick and choose."

While it might be good news for the victims that the passwords are not on LeakedSource anymore, someone else certainly has them, and has probably had them for a while. So, again, please change your LinkedIn password, because the company's legal actions aren't going to protect it.

This story has been updated to add a comment from LeakedSource's operator.