LinkedIn Passwords from 117M Accounts Hacked and Up for Sale
A four-year-old data breach at LinkedIn has returned to haunt the professional networking site, with the recent discovery that 117 million user emails and passwords were being offered for sale on the dark Web.
LinkedIn said yesterday it was "moving swiftly" to address the issue by working to invalidate passwords for all pre-breach accounts whose logins haven't since been reset. It added it was also contacting individual users to advise them to reset their passwords.
The June 2012 LinkedIn hack was originally believed to have involved just 6.5 million passwords; at least, that is only as many as LinkedIn first acknowledged. However, a report yesterday by Motherboard said a dark Web marketplace and another site, LeakedSource, had both obtained data from 167 million hacked LinkedIn accounts. Of those, 117 million included emails and passwords; the remaining accounts are believed to be of users who logged into the site via Facebook.
'No Indication' of a New Breach
Yesterday's report on Motherboard said the publication had learned from a hacker using the name "Peace" that emails and passwords from 117 million LinkedIn users were among the 167 million accounts held in a hacked database posted for sale on The Real Deal, a dark Web marketplace. Peace was seeking five bitcoins -- about $2,250 at today's exchange rate -- for the data.
The publication reported that the database of LinkedIn account information was also in the hands of LeakedSource, a paid-subscriber site that allows people to look up whether their online username or password data has been found to be publicly available on the Web.
LinkedIn responded to Motherboard's report in a blog post yesterday by chief information security officer Cory Scott.
"We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords," Scott wrote. "We have no indication that this is as a result of a new security breach."
LinkedIn Looking for Suspicious Activity
While the LinkedIn passwords hacked in 2012 were protected using the SHA-1 hash algorithm, they were not "salted," which provides further protection with the addition of random data to hashed passwords. Without that added protection, passwords and other hacked data are easier to crack.
According to Motherboard, a person at LeakedSource said site personnel had been able to break into around 90 percent of the hacked LinkedIn passwords within three days.
A post published Tuesday on LeakedSource said LinkedIn users who found their information on the site could ask for that information to be removed from its database at no cost. The site also posted a list of the top passwords it had identified in the hacked data, indicating that many hundreds of thousands of users had chosen easily broken passwords such as "123456," "linkedin" and "password."
In yesterday's blog post, Scott noted that LinkedIn has "for several years" both hashed and salted all its user passwords. He added the site also encourages members to use other available LinkedIn tools such as email challenges and dual-factor authentication.
A blog update posted later in the day said that LinkedIn was using automated tools to look for and block any suspicious activity on affected accounts. It added, "We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply."