领英曝“泄密门”：1.67亿条密码黑市售价5比特币

还记得社交网站领英（LinkedIn）2012年的数据泄露事件吗？

当时，一名黑客从该网站上窃取了650万个用户密码，随后将其上传至俄罗斯的一个黑客论坛上。如今看来，“650万”这个数字仅仅是冰山一角。

据科技媒体Vice Motherboard报道，近日，一个网名叫“Peace”的俄罗斯黑客正在网络黑市上叫卖1.17亿个电子邮箱地址及密码的组合，售价仅为5比特币，也就是2300美元左右。

科技媒体Motherboard已经从一家名叫Leaked Source的已泄露数据付费搜索引擎那里获得了部分泄露的数据——约100万条登录信息。Leaked Source更是称其已经获得了总计1.67亿条的泄露的登录信息。Motherboard也表示，经过联系其中的一名受害者详细比对后可以确认，那名俄罗斯黑客手上的登录信息中，至少有一条可以确认是真实的。

已泄露数据搜索引擎HaveIBeenPwned.com的负责人、网络安全专家特洛伊•亨特表示，他已经联系上了其他两名受害人并确认了细节。不过他表示，他目前尚未得到全部泄露信息来升级他的数据库。

搜索引擎Leaked Source已经对这些泄露数据展开了分析。该网站的一位代表通过电子邮件向《财富》表示，黑客此次在网上售卖的这批被盗账户中，有大约1.6亿个账户拥有唯一的电子邮件地址，其余的700万个账户只有数字登录账号和密码。这位代表还表示，由于Leaked Source的管理员手上没有2012年黑客最初发布的那650万条登录信息，因此他们也就无法检验此次的1.67亿条信息中是否包含了上次的那650万条。

Leaked Source的发言人还对《财富》表示：“这1.67亿条登录信息是我们通过某人免费获得的，而他们则是从俄罗斯人那里弄来的。他们要求我们不得透露他们的身份，否则这将危害到他们与将信息提供给他们的人之间的关系。”

上本周三，领英公司首席信息安全官柯里•斯科特在该公司的官方博客上发文称：“昨天，我们得知又有一些数据被发布出来，据称这些数据是1亿多名领英会员的电子邮件与密码的组合，它们也是在2012年的那次事故中被盗的。”

他表示，在2012年的泄露事故发生后，领英公司已经要求“所有我们认为已经泄露的账户”修改其密码。另外，当时领英还向所有用户发出了修改密码的建议。“我们正在立即采取措施，停用那些受影响账户的密码。我们将很快通知这些会员重新设置密码。我们认为，目前没有迹象显示这是一次新的安全泄露事故的结果。”

斯科特补充道，领英已经采取了加“盐”加密技术，也就是向登录口令中添加随机数字，然后再对其进行加密。这样的登录口令可以“好几年”都不易被攻破。不过Leaked Source指出，它所获取的泄露密码也是加过密的（通过SHA-1 hash功能），但却并没有“盐”功能。因此，领英大概是在2012年的泄露事件后才开始对密码进行“加盐”的。

为了保持私人数据的安全性，领英用户应及时更换在该网站的密码（以及在其他任何网站上使用的与其相同的用户名及密码），同时采取双因素认证的方式保证安全性（即在用户登陆时向其手机发送安全认证码）。（财富中文网）

译者：朴成奎

Remember LinkedIn’s 2012 data breach?

A hacker stole 6.5 million encrypted passwords from the site and posted them to a Russian crime forum. Now it appears that data theft was just the tip of the iceberg.

A Russian hacker, who goes by “Peace,” is selling 117 million email and password combinations on a dark web marketplace, Vice Motherboard reports. The going rate for the loot is five Bitcoins, or about $2,300.

Motherboard said it received a portion of the data—about one million credentials—from Leaked Source, a paid search engine for hacked data that claims to have acquired a total of 167 million of the leaked login credentials. The news outlet verified that at least one of the hacked accounts is legitimate by confirming details with one of the victims.

Cybersecurity researcher Troy Hunt, who runs the hacked data search engine HaveIBeenPwned.com, said he confirmed details with two other victims. He added that he doesn’t yet have a full set to upload to his database yet.

A person who represents Leaked Source, which has been analyzing the stolen data, told Fortune in an email that 160 million of the compromised accounts have unique email addresses, while the remaining 7 million only include numerical userids and passwords. The spokesperson said that the site’s administrators do not have access to the 6.5 million credentials initially released in 2012, meaning they are unable to check whether they are included as part of the latest set.

“We acquired the 167 million credentials for free from someone who got them from the Russians,” the Leaked Source rep told Fortune. “We have been asked not to reveal who they are or it would jeopardize their relationship with whomever provided it to them.”

Cory Scott, LinkedIn’s chief information security officer, published a post addressing the incident on the professional network’s official blog on Wednesday. “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,” Scott wrote.

He mentioned that the company had required “all accounts we believed to be compromised” to reset their passwords in 2012, and that it recommended all other users else reset their passwords as well. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords,” he said. “We have no indication that this is as a result of a new security breach.”

Scott added that the site had been encrypting and “salting”—or appending random data to the passwords before they’re encrypted to make them less crackable—”for several years.” Leaked Source noted, however, that the leaked passwords it had obtained were encrypted (with the SHA-1 hashing function), but lacked the “salting” security feature. Presumably, LinkedIn began “salting” their passwords after the 2012 incident.

To stay protected, LinkedIn users should update their passwords on the site (and anywhere else they may have reused the same password online) and also implement two-factor authentication—a feature that sends a security code to a user’s phone upon login.