A hacker by the name of ‘Peace’ told Motherboard that they had gained access to the site and posted 5.6 million users’ passwords on a Russian hacker forum back in 2012. LinkedIn reset the accounts of those it believed it be affected.
Now Peace is selling the data on Darkweb illegal marketplaces for around 5 bitcoin or around $2000, and it turns out that the breach is much larger than first anticipated. Hacked data search engine LeakedSource said that there are 167 million accounts in the hacked database, 117 million of which include both emails and encrypted passwords.
> See also: LinkedIn hit with lawsuit over password breach
A $5 million lawsuit was filed against the business networking giant in the wake of the 2012 hack, blaming the company for its outdated security measures, including failing to ‘salt’ passwords – a security measure that ‘hashes’ more common passwords, making them more difficult to crack.
LinkedIn wrote in a blog post yesterday:
‘Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012.’
‘We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.’
The company has said that since the incident in 2012 it has hashed and salted every password in its database, offering protection tools such as email challenges and dual factor authentication.
‘We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible,’ added the blog.
But Liviu Itoafa, security researcher at Kaspersky Lab, bemoans the fact that LinkedIn are acting to improve their security only after the worst occured.
‘The reports of further LinkedIn user’s passwords being sold online, following a hack four years ago, demonstrates the need for businesses to consider security procedures before a data breach forces them to – prevention is always better than cure,’ says Itoafa.
‘Customers that entrust their private information to an online provider should be able to rest safely in the knowledge it is kept in a secure manner; and all companies who handle private data have a duty to secure it.’
> See also: LinkedIn sued for revealing users’ browsing habits
In this particular case, thanks to the email addresses and unsalted passwords leaked, cybercriminals have the opportunity to use this information to steal personal identities or more.
‘Unfortunately, once a breach of this nature has occurred, there is not much that can be done about the leaked data,’ said Itoafa. ‘While LinkedIn has taken the precaution of invalidating the passwords of the accounts impacted, and contacting those members to reset their passwords, the chances are that many will use the same password across multiple online accounts. So it’s important that LinkedInusers take steps to change the password for other online accounts where they have used the same password.’
LinkedIn added: ‘We have demanded that parties cease? making stolen password data available? and will evaluate potential legal action if they fail to comply. In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.’
The website, which has 400 million members, will be letting individual members know if they need to change their password.