LinkedIn’s Sloppiness Hurts Us All

Jeremi M. Gosney, writing for Ars Technica:

The RockYou breach revolutionized password cracking. No longer were we using crap like list_of_kitchen_appliance_manufacturers.txt for wordlists. Everyone was just using rockyou.txt, and they were cracking a significant percentage of passwords. Markov statistics, mangling rules, everything was being based off what we learned from the RockYou passwords. […]

This means hackers will soon have a drop-in replacement for RockYou that is over five times more effective: a new de facto wordlist, new patterns to analyze to generate new rules, and new statistics for probabilistic password cracking. When you take both RockYou and LinkedIn and combine them with eHarmony, Stratfor, Gawker, Gamigo, Ashley Madison, and dozens of other smaller public password breaches, hackers will simply be more prepared than ever for the next big breach.

At the time that this breach occurred, LinkedIn was a publicly-traded company for at least a year. They were already the de facto social network for “business” people wishing to market themselves to each other. At the end of their 2012 fiscal year, approximately when this data set is from, LinkedIn had over 200 million members that they could regularly spam with terrible emails.

Think of this breach every time any company asks you for information. LinkedIn was a large, public company at the time this data set was collected. You know of a lot of large, public companies with a lot of information about you. One hopes they aren’t nearly as sloppy, but one also hopes that we never find out for certain.