A hacker called “Peace” informed news site Motherboard this week that he is selling the account details of 117 million LinkedIn users for 5 bitcoin, roughly $2,200. In total, there are 167 million accounts in the database, of which 117 million have complete email and encrypted password pairs.
The data was stolen in the attack on LinkedIn back in 2012. “It is only coming to the surface now,” said hacked data search engine LeakedSource to Motherboard. “People have not taken it very seriously back then as it was not spread. To my knowledge the database was kept within a small group of Russians.”
The dataset is substantially larger than the portion released at the time of the breach. LinkedIn never confirmed how many accounts were affected. 6.5 million encrypted passwords were posted online after the attack, a number that now appears to be inconsequential compared with the true scale of the breach. LinkedIn spokesperson Hani Durzy admitted to Motherboard “we don’t know how much was taken.”
The company confirmed yesterday that the data is legitimate. It said it is “moving swiftly” to take action and protect accounts. It is invalidating passwords for all members that were created before the 2012 breach and that haven’t updated their passwords since. It has deployed automated tools to identify and block suspicious activity on any affected accounts.
“In 2012, LinkedIn was the victim of an unauthorized access and disclosure of some members’ passwords,” said LinkedIn. “At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure.”
“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this as a result of a new security breach.”
LinkedIn advised its users to pick strong passwords and enable additional security settings such as email challenges and dual factor authentication. It said it has stored passwords in a hashed and salted form for “several years,” making it difficult for hackers to use login credentials without first decrypting passwords.
However, the passwords in the 2012 database aren’t stored so securely. They do not include a salt, relying singularly on the relatively weak SHA1 encryption algorithm. Salts make passwords harder to crack by adding a random string of numbers onto the end. LeakedSource claimed to Motherboard that the weak security has enabled it to crack “90%” of the passwords in just 72 hours.
Because many people use the same password for multiple services, the data could let hackers into users’ other online accounts besides LinkedIn. It is for this reason that security experts advise people to use a unique password for each of their accounts. Many ignore the threat though, prioritizing convenience and ease of memory above security.
