Compared with Yahoo!’s vast data breach, that just revealed at Lynda.com looks tiny. In the last day or so, many users of Lynda.com have received emails from its support staff informing them of a data breach involving just under ten million of its user accounts. What makes this latest breach so significant is the cavalier attitude being shown towards Lynda.com’s users, and its link to other larger data breaches.
Lynda.com provides online learning courses which are justifiably popular with many professionals, making its user database rich pickings for criminals. According to the information sent by Lynda.com to its users,
We recently became aware that an unauthorized third party breached a database that included some of your Lynda.com learning data, such as contact information and courses viewed. We are informing you of this issue out of an abundance of caution.
Note how little information is in that statement, which has also not been provided online in any press release (Lynda.com’s last press release was apparently in 2015). It gives no information as to when the data breach occurred, and is very vague about what data have been stolen. The final sentence makes it sound as if Lynda.com is doing you a big favour in letting you know about this breach.
Responses to specific press enquiries from Neowin, for example, have revealed that Lynda.com believes that “less than 55,000” of its users may have had their passwords compromised, and that “approximately 9.5 million users who had learner data, but no password information, in the database” may also have been affected.
Lynda.com thinks that we should all be reassured that, as it has no evidence yet that any of the data on these 9.5 million users “has been made publicly available”, everything is fine again.
Far from it.
A friend, who is a Lynda.com customer, tried to contact its support service to obtain advice about the security of his account. He was informed that the only way that Lynda.com would permit that would be if he agreed to share his Lynda.com data with LinkedIn.
Of course, LinkedIn bought Lynda.com for $1.5 billion in May 2015. But you may recall that LinkedIn is hardly exemplary in protecting user data: back in June 2012, passwords and account details for nearly 6.5 million LinkedIn accounts were stolen by Russian criminals. Because those passwords were almost unprotected (they had not been salted and hashed, as should be normal practice), they were cracked and the plaintext passwords for thousands of user accounts were published within a day of them being stolen.
In case you think that is old news, and LinkedIn has moved on, there is the puzzling fact that, in May 2016, usernames and passwords for a total of 117 million LinkedIn accounts appeared for sale online. It looks now as if the scale of the 2012 hack was grossly underestimated, unless there has been a further huge data breach at LinkedIn since 2012. LinkedIn’s response has been to invalidate all passwords which have not changed since 2012, and we are none the wiser as to when or how such a huge breach occurred, nor whether anyone at LinkedIn knew about it back in 2012.
Another puzzle about the offer for sale of 117 million LinkedIn accounts is that, as of September 2016, LinkedIn only had around 106 million active users. So that breach must have been close to the entire user database, much like Yahoo!’s vast breach in 2013, and possibly Lynda.com’s “recent” breach.
My LinkedIn account was one of those compromised back in 2012. As soon I was was aware, I closed my account and instructed its removal. Yet ever since then I have received sporadic emails from LinkedIn informing me of people sending messages to my account – which clearly has not been removed at all – and wanting to link to me.
There are a couple of other things that you ought to know about LinkedIn. First is that, according to Wikipedia, its CEO is Jeff Weiner, who was formerly an Executive Vice President at Yahoo! (of the 1.5 billion breach), although he left Yahoo! long before its 2013 breach.
The other important fact about LinkedIn is that, for the last ten days, it has been owned by Microsoft, following approval of that takeover, which valued LinkedIn at $26.2 billion.
So through Lynda.com, LinkedIn, and now Microsoft, we see yet again that there are handsome profits to be made from not securing personal data properly.
No doubt the FTC and other bodies charged with overseeing the protection of our personal data will yet again come up with some token penalties which will not detract from those profits, and encourage these huge businesses to continue to leak our data like sieves.
(Thanks to Darren for alerting me to this latest breach, and for providing the screenshot.)