The extensive list of users’ security details is thought to have been sourced from a cyber-attack on the business networking site in 2012.
Only 6.5 million accounts were thought to be affected in 2012, but the situation has got a lot worse after the hacked details appeared on a site called LeakedSource.LinkedIn responded by forcing a password reset on all 6.5 million of the impacted accounts, but it stopped there. Earlier today, reports surfaced about a sales thread on an online cybercrime bazaar in which the seller offered to sell 117 million records stolen in the 2012 breach. In addition, the paid hacked data search engine LeakedSource claims to have a searchable copy of the 117 million record database (this service said it found my LinkedIn email address in the data cache, but it asked me to pay $US4 for a one-day trial membership in order to view the data)
According to the news site Motherboard, a hacker called “Peace” is selling the data on The Real Deal, a dark web illegal marketplace, for five bitcoins (£1,500).
“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,” the company’s chief information security officer Cory Scott wrote in a blog post.
“We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.”
According to LeakedSource, just 50 easily guessed passwords made up more than 2.2 million of the 117 million encrypted passwords exposed in the breach.
“Passwords were stored in SHA1 with no salting,” the password-selling site claims. “This is not what internet standards propose. Only 117m accounts have passwords and we suspect the remaining users registered using Facebook or some similarity.”
If you haven’t changed your LinkedIn password in a while, that would probably be a good idea. Most importantly, if you use your LinkedIn password at other sites, change those passwords to unique passwords. As this breach reminds us, re-using passwords at multiple sites that hold personal and/or financial information about you is a less-than-stellar idea.
You can also search the database here.
Techunzipped