117 million LinkedIn passwords sold by hackers
Published 19/05/2016 | 08:06
Passwords belonging to 117 million users of professional networking site LinkedIn have been put up for sale online.
The huge cache of personal data comes from a hack of the website four years ago that was previously thought to have affected only a few million accounts.
LinkedIn said it was trying to assess which accounts had been affected and invalidate their passwords to prevent hackers accessing users’ accounts.
In 2012, around 6.5 million LinkedIn passwords were released online, forcing the company to urge all its members to change their passwords and reset those that it suspected had been affected.
Now the much bigger set of details has been put up for sale on the dark web for five bitcoins (£1,565). Although encrypted, the set of passwords had not been cryptographically-sealed with an additional security measure known as a “salt”, making more common passwords relatively easy to decode.
LinkedIn has more than 400 million members around the world, and more than 20 million in the UK.
I'm seeing claims of a 167M record LinkedIn data breach and it's presently being sold for 5 BTC on a dark web trading site. Anyone verified?— Troy Hunt (@troyhunt) May 18, 2016
The data release actually contains 167 million account details including email addresses, although only 117 million passwords are included.
"Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012," LinkedIn said.
"We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach." It said that passwords are now salted, meaning in the event of any future breach, they would be less difficult to crack.
If your LinkedIn password has not been changed since 2012, now is probably a good time, and the same goes for any other websites which you use the same password for.
The company also urged people to activate Two Factor authentication on their accounts to better protect themselves.