Multiple sources (TechCrunch, Forbes, ABC News, etc.) are reporting that hackers have just released email and password combinations for 117 million LinkedIn accounts. This data stems back from a 2012 LinkedIn security breach (aka Hack). Motherboard is reporting that an alleged hacker is selling the data on an illegal online marketplace for 5 bit coins (around $2,200 USD). This means that all of these email/password combinations are soon to be in the hands of many more hackers who will surely use the data for malicious intent.
Warning: If you use LinkedIn, update your password immediately. This is the most effective protection against this hack.
This is a very serious security incident that will have ramifications for years to come. The real issue isn’t what hackers can obtain from accessing someone’s LinkedIn account, but rather how hackers can use those login credentials to try and infiltrate email addresses, other online accounts and databases so they can steal health records, banking credentials, and sensitive personal information. This can lead to a wide variety of issues, from cyber-theft, to identity fraud, and even blackmail.
Often, the first place a hacker will try to access with a known password is a user’s email account. From there they can determine who you bank with, what social media and shopping sites you use, who your loved ones are, etc. They can even hack other sites that have different passwords by using a common “password reset with email” functionality.
Imagine if a hacker could then log-in to a web-based EHR interface using the same trusty old password that a clinician had used everywhere for years? That one vulnerability in the system then opens up another treasure trove of sensitive data for the bad guys.
While these scenarios sound frightening and improbable, they are way more common than you might think. Here’s a list of some notable companies that lost customer data in 2015:
- Excellus BlueCross BlueShield: 10 million records hacked including names, birth dates and even Social Security numbers.
- CVS Pharmacy: Had it’s online photo print ordering site hacked losing millions of customers personal and credit card data.
- UCLA Health: Lost personal and medical record data, including names, Social Security numbers, medical conditions, medications, procedures, and test results.
- VTech: Hackers took 4.8 million records from this toy manufacturer, including first names, genders, and birthdays of more than 200,000 kids!
- T-Mobile: had records for 15 million customers compromised when their credit agency suffered a breach.
- Scottrade: 4.6 million customer contacts stolen.
It’s a fiduciary responsibility for all clinicians and healthcare professionals to take security as a whole with the utmost care and attention. And that means not getting lazy with easy to guess passwords, not using the same passwords on multiple online accounts, and using some general common sense, like updating your passwords frequently.
If you’re overwhelmed at the thought of trying to manage and update dozens of unique online passwords for all of your accounts, there are some tools such as password managers (or password vaults) that can be quite helpful. Here’s PC Mag’s list of the Best Password Managers for 2016.