The account information of 117 million LinkedIn users has surfaced on the online black market, with the hacker responsible seeking 5 bitcoins ($2,200 USD) for the database of users' email addresses and encrypted passwords.
An additional 50 million LinkedIn email addresses, without passwords, are also for sale.
The information was apparently stolen during the 2012 LinkedIn data breach. Following that breach, 6.5 million encrypted passwords were posted online. Within weeks, 200,000 of the encrypted passwords were successfully decoded.
LinkedIn never specified the full extent of that breach, however, the platform now acknowledges that this is a credible threat and is re-investigating the matter.
"It appears that more [accounts] had been taken then, and just posted now," spokesman Hani Durzy said in a statement to Bloomberg. "We're still determining how many of these are still active and accurate, since the data would be about four years old now."
It's important to note that while the passwords are older and encrypted, it doesn't mean they are secure.
LeakedSource, a search tool designed for breached information, analyzed a one-million-member sample of the exposed data. Within 72 hours of receiving the encrypted passwords, they were able to decode 90% of them.
Additionally, because no mass password-reset was mandated following the 2012 data breach, many users may still be at risk - especially if they've never changed their password.
What should you do?
LinkedIn members are urged to take the following actions to protect their accounts and professional networks.
- Change your password
Passwords should be at least eight characters in length and include a complex mix of letters, numbers and symbols. Change your password frequently and never use the same password across multiple accounts. - Watch for phishing emails
Targeted phishing attacks are also expected to follow the LinkedIn data breach due to the exposure of email addresses. Never provide account information via email and be hesitant to click on links within them, especially if the email appears to be from LinkedIn. - Be wary of what friends post
With approximately 430 million LinkedIn users, this breach has the potential to impact nearly 30 percent of LinkedIn members. It's likely someone impacted could be one of your connections. Be cautious of friends sharing suspicious links or requesting money or personal information - their account could be compromised and, thus, being used by someone who purchased their information on the dark web. - Enable two-step verification
Two-step verification requires username, password and a code sent directly to your mobile phone to access your account. This provides an additional layer of security while helping alert you if anyone attempts to take over your account.
LinkedIn has also noted that they're working to invalidate passwords for all accounts created prior to the 2012 breach that haven't updated their password since that breach, and that they'll be letting individual members know if they need to reset their password. LinkedIn has also demanded that the hackers cease making stolen password data available.