More than 117 Million LinkedIn Accounts Caught Up in Data Breach
If it's been a while since you changed your LinkedIn password, now might be a good time.
Back in 2012, LinkedIn was the victim of a massive data breach, resulting in the login details, including passwords, of more than 6.5 million of their users being uploaded to a Russian hacker forum. The data was encrypted, but it was listed in a way that hackers, evidently, had little trouble getting around it - within a few hours of the information being released, more than 300,000 usernames and passwords had been decrypted and were being shared amongst hacker communities.
LinkedIn acknowledged the reports via Twitter:
Our team is currently looking into reports of stolen passwords. Stay tuned for more.- LinkedIn (@LinkedIn) June 6, 2012
At the time, the threat level was deemed relatively low - as per TechCrunch:
"...chances are slim that you, yourself are personally affected - 6.5 million people makes up less than 5% of LinkedIn's userbase."
So a lot of people ignored it and moved on and nothing happened.
But today we've found out that the data breach was actually a lot worse than first thought.
LinkedIn announced this morning, via their official blog, that it wasn't 6.5 million accounts affected - it was more like 100 million, and all of them have now been released onto hacker forums.
"Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach."
According to Motherboard, it's actually 167 million accounts that are included in the data set, and of those, around 117 million include both e-mails and passwords. And given it's from 2012, when LinkedIn only had 187 million members total, that means that the majority of people who were active on the platform at that time are on there.
Motherboard says the data's being sold by a hacker named "Peace" on the dark web marketplace The Real Deal for 5 bitcoin (around $2,200).
Motherboard also got in contact with a security researcher who's reached out to some of the victims of the data breach and they've confirmed that the e-mail/password combinations listed for their accounts were correct - one of them noted that it was their current password (which they promptly updated).
So what does this mean? If you haven't changed your LinkedIn password for some time, even if you're not sure you were active in 2012 or not, it's probably a good time to review.
LinkedIn advises that:
It also serves as a good reminder of the importance of keeping your passwords updated and reviewing your security practices from time to time. If you re-use your passwords across multiple platforms, for example, data breaches like this can lead to a much bigger problem. It's worth looking into your options and ensuring you don't get caught up, especially given the growing amount of effort and work people are putting into establishing and growing their social media presences.
And as noted above, LinkedIn is working to validate the accounts and contact affected users so they can reset their passwords on the site, so keep an eye on your inbox for any such notification - though it's probably worth updating your info either way.
UPDATE: Shortly after their first blog post on reports of user data being sold by hackers, LinkedIn added the following:
"We're moving swiftly to address the release of additional data from a 2012 breach, specifically:
We have begun to invalidate passwords for all accounts created prior to the 2012 breach that haven't updated their password since that breach. We will be letting individual members know if they need to reset their password. However, regularly changing your password is always a good idea and you don't have to wait for the notification. Feel free to reset your password by following the directions here.
We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply. In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts."
UPDATE (May 23rd): LinkedIn has reported that it's invalidated all the passwords of accounts that had not rest their password since the 2012 breach. LinkedIn will be sending out further information to all the affected accounts shortly - for more info you can contact LinkedIn.
Follow Andrew Hutchinson on Twitter