117 Million LinkedIn Hacked Passwords Up for Sale
LinkedIn was hacked four years ago and more problems from it have surfaced this week. The new information released reports that the 117 million user emails and passwords that had been stolen four years ago are now being offered for sale.
The June 2012 LinkedIn hack was originally believed to have involved 6.5 million passwords. However, a report yesterday by Motherboard said a dark Web marketplace and another site, LeakedSource, had both obtained data from 167 million hacked LinkedIn accounts which would mean that even more then the original reported leaked email addresses were stolen. Of those, 117 million included emails and passwords, the remaining accounts are believed to be of users who logged into the site via Facebook.
This is Not a New Security Breach
Wednesday’s report on Motherboard said the publication had learned from a hacker using the name “Peace” that emails and passwords from 117 million LinkedIn users were among the 167 million accounts held in a hacked database posted for sale on The Real Deal, a dark Web marketplace. Peace was seeking five bitcoins — about $2,250 at today’s exchange rate — for the data.
The publication reported that the database of LinkedIn account information was also in the hands of LeakedSource, a paid-subscriber site that allows people to look up whether their online username or password data has been found to be publicly available on the Web.
LinkedIn responded to Motherboard’s report in a blog post on Wednesday by Chief Information Security Officer Cory Scott.
“We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords,” Scott wrote. “We have no indication that this is as a result of a new security breach.”
LinkedIn Looking for Suspicious Activity
While the LinkedIn passwords hacked in 2012 were protected using the SHA-1 hash algorithm, they were not “salted,” which provides further protection with the addition of random data to hashed passwords. Without that added protection, passwords and other hacked data are easier to crack.
According to Motherboard, a person at LeakedSource said site personnel had been able to break into around 90 percent of the hacked LinkedIn passwords within three days.
A post published Tuesday on LeakedSource said LinkedIn users who found their information on the site could ask for that information to be removed from its database at no cost. The site also posted a list of the top passwords it had identified in the hacked data, indicating that many hundreds of thousands of users had chosen easily broken passwords such as “123456,” “linkedin” and “password.”
In Wednesday’s blog post, Scott noted that LinkedIn has “for several years” both hashed and salted all its user passwords. He added the site also encourages members to use other available LinkedIn tools such as email challenges and dual-factor authentication.
A blog update posted later in the day said that LinkedIn was using automated tools to look for and block any suspicious activity on affected accounts. It added, “We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply.”
Protect Your Passwords
This is another story that demonstrates the importance that you can not trust others with your security. Your passwords should be complex and encrypted. This is easily achievable by using password managers such as LastPass. Also when possible use two-factor authentication.