A four year old LinkedIn data breach is causing problems for bitcoin exchange users who are being targeted. You may be wondering though, why now, four years later?
The hack took place in 2012, where LinkedIn had 164 million email addresses and passwords exposed. The hacked data remained out of sight until being offered for sale on a dark web just recently. The passwords in the breach were stored as SHA1 hashes without being salted, and the vast majority of which were quickly cracked in the days following the release of the data.
However, it appears either the hackers or someone who has bought the hacked data is now targeting bitcoin users. Bitcoin derivatives exchange BitMex published a public service announcement over the weekend saying that a botnet is attempting email address and password combinations to try to hack into user accounts.
BitMex claims the data being used from the hack is more than likely attributed the LinkedIn hack. They also spoke with a few other unnamed bitcoin exchanges about the attack who all shared the same concern about the hacked data and being targeted.
In addition other users on social media are reporting being hacked on the bitcoin exchange itBit. The details aren’t clear if this has anything to do with the LinkedIn hack or not, but one user has reported being hacked and nearly losing 18 BTC on itBit and another user reported an unauthorized withdrawal on their account.
How to keep your accounts secure
The biggest problem with this four year old data is reused passwords. It appears that many people are being targeted successfully because they are reusing the same passwords across the web. A group, which calls itself OurMine Team, claims to have recently hacked the accounts of, Twitter co-founder Biz Stone, Minecraft creator Markus “Notch” Persson, actor Sawyer Hartman, and pop star David Choi, among others.
In addition to reusing passwords, people aren’t always setting two factor authentication (2FA) on their accounts which makes hacking into them even more easy. For everything important, you should be using 2FA. That means using 2FA on your email account, bank account, and your bitcoin accounts (on exchanges, wallets, etc). If your service provider doesn’t have 2FA as an option, then I would suggest finding another provider with better security.
If you need help understanding 2FA, Google has a good primer on it. It should go without saying, but in any case, you shouldn’t be reusing passwords across the web. If you aren’t sure if your data has been comprised from a past hack, you can check haveibeenpwned.com which is a great site to find out if your data has been hacked.
Reusing data is a bad security practice
Reusing data such as passwords is a privacy issue too. Consider your data and privacy as part of the overarching umbrella of security. Keeping your passwords secure and private is an integral part of using the internet. That is why also not reusing bitcoin addresses is just as important.
Bitcoin address reuse (using bitcoin addresses more than once) has become a hot topic in the past year in bitcoin when talking about user privacy and security. The issue was highlighted in the February Open Bitcoin Privacy Project report which showed how bitcoin wallet providers and users need better privacy. A contributing issue to this are wallets that don’t yet use deterministic keypairs.
Just recently we learned that the Bitcoin Core is going to be implementing deterministic wallets, and before that the popular bitcoin wallet Blockchain launched an updated wallet version that is deterministic.