What Do Hackers Do With Stolen Passwords?
Add them to dictionaries, trade them on the black market, and use them for “spear phishing.”
The personal information available on users’ LinkedIn accounts could also be ideal for a type of targeted attack known as “spear phishing.” The idea behind spear phishing is to lure someone into downloading malware or divulging sensitive information by sending them an email that looks legitimate, says Marcus Carey, a former security analyst for the National Security Agency who now works as a researcher for the cybersecurity firm Rapid7. Such a message might appear to be from a boss or colleague, or it might be designed to look like an email they have to respond to in the course of their work, like a request for a quote on a particular service. Because it doesn’t look like spam, the target’s guard is down.
Spear phishing requires care and individual attention on the cyber-criminal’s part, so it’s only worth trying on high-value targets—like the professionals and executives who make up the core of LinkedIn’s membership.
There’s one more type of phishing that almost always accompanies attacks like the LinkedIn and eHarmony breaches, and in some ways it’s the most devious. Internet mischief-makers know that lots of people will read articles like this and decide it’s time to change their passwords. The right way to do it is to go directly to the LinkedIn or eHarmony site. The wrong way is to click through a link in an official-looking email that sends you to an official-looking website with instructions on how to reset your account. If the hackers didn’t have your password before, they certainly will once you’ve dutifully entered a new one in the form they provide. Don’t be fooled. It’s bad enough to get your password hacked. It’s worse when you do it to yourself.