LinkedIn has responded to reports that millions of user account details have leaked online by invalidating the passwords deemed to have been impacted. The company added that it will contact the affected members to reset their passwords too.
According to a report on Vice’s Motherboard, a hacker going by the name of “Peace” is attempting to sell account details, including the emails and partially hidden passwords, of 117 million LinkedIn users on the so-called Dark Web. But this is seemingly not a new breach — the account details reportedly stem from a leak dating all the way back to 2012 when 6.5 million passwords were pulled from the social network. “Peace” was attempting to sell the data on The Real Deal for 5 bitcoin, or around $2,200, while it has also apparently shown up on hacked data search engine LeakedSource.
“It is only coming to the surface now. People may not have taken it very seriously back then as it was not spread,” one of the people behind LeakedSource told Motherboard. “To my knowledge the database was kept within a small group of Russians.”
LinkedIn is also quick to reassure its users that this isn’t a fresh hack, though that will be of little comfort.
“In 2012, LinkedIn was the victim of an unauthorized access and disclosure of some members’ passwords,” said Cory Scott, chief information officer at LinkedIn, in a statement. “At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure. Additionally, we advised all members of LinkedIn to change their passwords as a matter of best practice.
“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.”
Motherboard conversed with someone at LeakedSource who claimed that they managed to crack 90 percent of the LinkedIn passwords within three days. Though LinkedIn says it has hashed and salted its stored passwords for several years now, one potential problem of “old” passwords emerging online is that people often use the same credentials across many services. So even if you don’t care about your LinkedIn account being infiltrated, or even if you have changed your LinkedIn password in recent times, old passwords in conjunction with email addresses can still hold a great deal of value for cybercriminals.