On Friday the NCSC published a summary of guidance for people concerned about the 2012 hack of LinkedIn. This was in response to recent press articles stating that the credentials of a number of MPs, government officials, and police officers were still being traded three years after the data was stolen.
New reports published over the weekend claim that people within the UK nuclear industry are also having their passwords traded online.
What threats could you be facing following the 2012 hack?
First of all, it's important to point out that the new reports are not related to any new loss of data. This is about data stolen from LinkedIn accounts in 2012. LinkedIn fixed the security weakness after the breach, and issued advice to account holders to reset their passwords.
- If you were a LinkedIn user back in 2012, then your LinkedIn account name/passwords could have been stolen and put up for sale.
- After the breach, LinkedIn forced affected users to reset their passwords, and deactivated those accounts that did not reset.
- If you've reused your LinkedIn password on any other of your accounts, and have not changed your password on those accounts, then they are also vulnerable. This is because cyber criminals know that many users use the same password across different accounts, and will used automated tools to try to log into them.
- If you've used the same password to access to your email, you need to take immediate action, as your password resets for most of your online services will be sent to your email account.
What steps can you take to better protect yourself?
The LinkedIn story is just one example of a data breach within such an organisation. Unfortunately there have been several other examples over the last few years. No matter what steps companies like LinkedIn (or the NCSC) do, users have a vital role to play in keeping their accounts secure.
Since the NCSC was set up in 2016, passwords remains one of the most popular subjects to talk about. There is a reason for this. Passwords are critical to your online security, which is why we provide authoritative, actionable advice that you should follow. We're repeating our core password recommendations below, all of which are free-to-use and simple to set up.
- Reset your password if you have been notified that your account is at risk. The NCSC doesn't recommend forcing users to change their passwords for no good reason (that is, when there's no evidence of account compromise). But stolen passwords is a very good reason to reset your password.
- Never click on 'password reset' links contained within unsolicited emails. Instead, type the address of the website in your browser, and then change your password from within your account settings.
- If you don't want to use LinkedIn (or any online service) anymore, you should close your account. Simply deleting the app in question will not close your account.
- You should never reuse the same password across different accounts that protect information you care about, like your email account. Don’t make life easy for the criminals by giving them access to several of your accounts for the price of one.
- If you are generally concerned, you can look on services like www.HaveIBeenPwned.com to see if your username or email address has been involved in a breach. You should definitely take action if you are listed, but services like this are not 100% accurate.
Set up two factor authentication for your important accounts
'Two factor authentication' (also known as 2FA) sounds complicated, but it isn't. Every time you use a cashpoint machine, you're using 2FA, because you're providing the bank with two pieces of information to authenticate yourself - the cashpoint card that you (and only you) own, and your PIN. In this scenario, your cashpoint card provides an additional layer of security, on top of your password.
If you've set up 2FA on accounts like LinkedIn, criminals can't access your account even if they have your password. You've probably already done this for your online banking, so consider doing the same for your other online accounts. We've provided links to instructions about how to do this here - they're simple to setup and only need to be done once.
Chief Technology Officer, Economy & Society Engagement Sector, NCSC