Long time users of Linkedin users may very well need to change their passwords once more as a cybercriminal puts the email addresses and passwords of 117 million users up for sale.
In 2012, Linkedin suffered a data breach where hackers were found to have stolen password hashes. It was later discovered that 6.5 million account credentials were posted on a Russian password forum for the world to see. Now, a hacker named “Peace” is selling the stolen database for 5 bitcoin, or close to 2,200 USD. Paid hacked data search engine LeakedSource also claims that they too have the data. Both Peace and LeackedSource claim that the database contains 167 million accounts with 117 cracked passwords, and not just 6.5 million, as was previously reported.
Shared samples of the database was shared to Motherboard by LeakedSource and showed that the database comprised of email addresses, passwords, and the hacked passwords. Troy Hunt, researcher from the breach notification site Have I Been Pwned? contacted victims of the data breach. His respondents verified that the passwords in the breach were the ones that they were using at the time of the initial breach.
An official statement from LinkedIn said it is aware of the situation, and its immediate response included a mandatory reset of accounts believed to be compromised. LinkedIn’s Chief Information Security Officer Cory Scott said, “We take the safety and security of our members’ accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication.”
Regarding the additional data reported from the same breach, Scott said the company has started invalidating the passwords for all LinkedIn accounts created before 2012 that haven’t changed passwords since the breach. Scott added, “We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply. In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.”
Linkedin users who have used the service for over 4 years are recommended to change passwords immediately. Regular changing of passwords should also be practiced. Users should also enable Linkedin’s two step verification to add an extra layer of protection for their accounts.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).