LinkedIn hacked; 117 mn users’ passwords up for sale
19 May 2016
Passwords belonging to 117 million users of professional networking site LinkedIn – one of the world's most popular websites – have been put up for sale online.
LinkedIn was victim to an attack four years ago, but the true extent of the damage is only now coming to light. LinkedIn has admitted that tens of millions more accounts than first thought may have been compromised. Earlier, the hack was thought to have affected only a few million accounts.
LinkedIn said it was trying to assess which accounts had been affected and invalidate their passwords to prevent hackers accessing users' accounts.
In 2012, around 6.5 million LinkedIn passwords were released online, forcing the company to urge all its members to change their passwords and reset those that it suspected had been affected.
Now the much bigger set of details has been put up for sale on the dark web for five bitcoins (£1,565). Although encrypted, the set of passwords had not been cryptographically sealed with an additional security measure known as a ''salt'', making more common passwords relatively easy to decode.
LinkedIn has more than 400 million members around the world, and more than 20 million in the UK.
Nearly 7 million usernames and passwords were originally thought to have been stolen in the hack. The number now is over 100 million - a quarter of the professional networking site's membership.
LinkedIn says it's ''taking immediate steps to invalidate the passwords of the accounts impacted'' and they pledge to ''contact those members to reset their passwords''.
The Motherboard website was able to confirm several victims from the data grab up for sale on the dark web for a little over $2,000. LeakedSource, a search engine for hacked info, reported it was able to crack nearly all the stolen encrypted passwords in just a few days.
It's not clear why the criminals would sit on this data for so long.
To stay protected, LinkedIn says users should update their passwords and implement two-factor authentication - a feature that sends a security code to a user's phone upon login.