In 2018 and 2019, hundreds of millions of user account details were listed in dubious parts of the internet. Details included unencrypted usernames (e-mail addresses) and passwords for a wide range of online services which had been stolen and decrypted during the previous decade.
XING has never experienced such a data breach. We protect user accounts with state-of-the-art technology and constantly monitor for new developments to improve data protection. Nevertheless, you should always take care not to use the same usernames and passwords for multiple platforms as this increases the risk of being hacked, even if a data breach involving other online services occurred several years ago.
Criminals use a method known as credential stuffing where they use automation tools to try lists of user account details with a number of online services. Consequently, using the same username and password for multiple accounts makes you more likely to be hacked. This can also have a knock-on effect: if your online identity gets stolen, others will be less likely to trust you in the future.
Here at XING we have a number of measures in place to reliably identify such manipulations. When we detect any such breaches, we block the affected account and work with the real owner to restore their access.
Please don’t use passwords more than once, and make sure they’re long and complicated enough. A password manager is also a good way of handling this.
You can enter your e-mail address in a leak checker such as https://haveibeenpwned.com/ to see whether it appeared in a list of known stolen account details.
Using two-factor authentication boosts account security significantly: https://faq.xing.com/en/settings-security/two-factor-login-two-factor-authentication
In 2016, XING became an industry partner for the research project on ‘effective information after an identity theft’ (EIDI) sponsored by the Federal Ministry of Education and Research. The project includes IT experts from the University of Bonn, privacy experts from the Independent Centre for Privacy Protection), lawyers from FIZ Karlsruhe, psychologists from the University of Duisburg-Essen, and security experts from XING who work together on the following subjects:
How can the EIDI project collect lists of stolen account details in a legally compliant way?
How can EIDI partners, such as XING, review these lists in line with privacy law?
How can EIDI partner warn their customers?
This project has already identified billions of user accounts that have been stolen online. But project partners can’t just send each other such data online without taking sufficient precautions.
It’s not easy for us to check passwords for our members because XING doesn’t know your password. Your password is converted into what’s known as a hash as modern hashing methods are much more difficult to crack because they’re irreversible. This effectively makes hashes unusable to data thieves as they can’t convert them back to plain-text passwords.
Account details identified within the scope of the EIDI project are assigned a partner value before transmission to ensure that only the intended project partner (e.g. a provider such as XING) can do anything with the information. The provider will then attempt a form of technical login as only the provider can determine whether stolen account details match a customer’s details.
That way, no confidential information is shared with third parties, and XING never discloses any passwords. XING only saves information to the effect that a customer has been affected, not which details. The EIDI project only receives a reply confirming whether the transmitted data set can be used or not.
As a precaution we’ve already started warning members based on the results of the EIDI project to prevent their accounts from being hacked.