The 2012 LinkedIn data breach was initially thought to have resulted in the theft of around 6.5 million email addresses and encrypted passwords, but the breach was much worse than previously thought.
Shortly after the breach occurred in 2012, 6.5 million users’ logins were posted online but as it turns out this was only a fraction of the stolen data. A few days ago, a listing was placed on the darknet marketplace The Real Deal offering 167 million logins for sale. The data set comprised 117 million email and encrypted password combos, and 50 million email addresses without passwords.
The data were listed for sale by an individual with the account name “peace_of_mind.” The data set has been listed for sale for 5 Bitcoin, which is approximately $2,200. Security researchers have reached out to some of the individuals whose passwords and email addresses were present in the sample and have independently confirmed that the data are real.
LinkedIn has also issued a statement confirming that the data are legitimate. The professional networking site has responded to the posting of the stolen data by invalidating passwords. All affected users will be forced to change their password when they next login and notification emails will be sent to all individuals alerting them to the security breach in the next few days.
Back in 2012 when the data were stolen, LinkedIn used a fairly weak SHA-1 algorithm to encrypt passwords. The passwords were also unsalted making it much easier for hackers to reverse the encryption and obtain plaintext passwords. According to some sources, within 72 hours of the data being listed online more than 90% of the passwords had already been cracked.
Any LinkedIn user who joined the professional social networking website more than 3 years ago, and has not changed their password since, should login to the site and change their password.
Since 2012, LinkedIn has greatly enhanced security. LinkedIn now uses stronger algorithms to encrypt stored passwords and also salts them. LinkedIn has also introduced two-factor authentication for accounts, although it is not mandatory for this security measure to be adopted. Users should strongly consider using 2-factor authentication on their accounts to enhance security and make it harder for their accounts to be hacked.
Due to the number of websites that require users to create online accounts, many individuals choose to reuse passwords so they do not have to remember tens of different passwords. This means that if one password is obtained by a hacker, access could be gained to many online accounts. Any LinkedIn user that has reused their password on other websites should login to those sites and set new, unique passwords.
Businesses should take note of the LinkedIn breach. Since LinkedIn is a professional network, and many users sign up for an account and create profiles for work purposes, they may have used their work passwords on the site. Businesses should therefore consider forcing a password reset for employees as a precaution. Details of individuals’ current employer is likely to be listed on LinkedIn profiles and attacks on businesses can therefore be expected.