- Nan Palmero/Flickr
A hacker known as “Peace” is selling what is reportedly account information from 117 million LinkedIn users. The stolen data is said to include email addresses and passwords, which a malicious party could use to gain access to other websites and accounts for which people used the same password.
LinkedIn says it has about 433 million members worldwide, so this data could represent 27% of its user base.
The hacker says the credentials were obtained during a LinkedIn data breach in 2012 that saw 6.5 million encrypted passwords posted online, according to Motherboard. But the leak now appears to be much larger than was thought at the time. Peace is selling the data for about $2,200 (5 bitcoin) on the Dark Web, the part of the internet accessible only with a special browser that masks user identities.
LinkedIn told Motherboard that it was investigating but could not confirm whether the data was authentic. Spokesman Hani Durzy did, however, say the company didn’t know how many accounts were compromised in the data breach.
Motherboard and Troy Hunt, a security researcher, reached out to possible victims of the data breach and were able to confirm that at least three of the passwords were legitimate.
Why are these credentials coming out now? “People may not have taken it very seriously back then as it was not spread,” one of the people behind LeakedSource, which also claims to have access to the data, told Motherboard. “To my knowledge the database was kept within a small group of Russians.”
LinkedIn posted this statement in response:
In 2012, LinkedIn was the victim of an unauthorized access and disclosure of some members’ passwords. At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure. Additionally, we advised all members of LinkedIn to change their passwords as a matter of best practice.
Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.
We take the safety and security of our members’ accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible.