BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Elite Russian Hackers Claim To Have Breached Three Major U.S. Antivirus Makers
School Lunch Business Rivalry Leads To Hacking Charges
Cybercriminals Steal $1.75 Million From An Ohio Church
Ransomware Hits Yet Another U.S. Airport
A Free Wi-Fi Finder App Exposed Passwords To Millions Of Networks
A Ransomware Attack Knocked The Weather Channel Off The Air
Edit Story
ForbesInnovationCybersecurity

LinkedIn Resets Passwords As 117M Logins For Sale On Dark Web - UPDATED

Thomas Brewster
Forbes Staff
Senior writer at Forbes covering cybercrime, privacy and surveillance.
Following
This article is more than 7 years old.

LinkedIn has confirmed a significant breach from 2012 was worse than first thought, as hackers claimed the number of leaked usernames and passwords was 117 million, up from the 6.5 million reported four years ago.

Earlier this week, fresh LinkedIn credentials went on sale on a dark web market known as The Real Deal. The same dealer, who goes by the name Peace, recently flogged millions of details on users of the Naughty America porn website at just $300. He is now offering 117 million LinkedIn usernames and passwords for a considerably higher price: 5 Bitcoin, worth approximately $2,200.

A LinkedIn spokesperson confirmed the company was looking into the matter and was in the process of resetting passwords of affected users: "Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of LinkedIn members from that same theft in 2012," they said.

Gallery: 8 Simple Rules For Beating Hackers And Cyber-Thieves
9 images
View gallery

"We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is a result of a new security breach."

There's a chance the hacker inflated the data, admitted Troy Hunt, a security expert who helped Vice Motherboard sift through a sample of 1 million logins provided by Peace. But given the nature of the illicit data trade market, where reputation is vital, it's unlikely the seller would have risked a con, Hunt noted.

He told FORBES he'd seen a number of passwords in plain text, indicating the hackers had managed to crack some of the hashes - the result of the password being passed through a cryptographic algorithm to turn it into gobbledygook. "The reality is, it’s a breach from four years ago and some passwords won’t just be valid today, they'll be valid across different sites," Hunt warned.

As further evidence the leaked information was real, Hunt tested a number of emails on the site to see if LinkedIn revealed where users had already signed up. It did and all tested addresses showed they were already used by LinkedIn members.

Emails had also not been included in the previous dump of 6.5 million passwords. Motherboard and Hunt also heard from a handful of customers the email addresses and passwords in the leak were legitimate.

LinkedIn did not respond to inquiries on the number of customers it believed to be affected. If it only has access to a sample of 1 million, it may not know itself just how bad the 2012 attack was.

UPDATE LinkedIn is in the process of resetting user passwords for every member who joined before 2012 who had not changed their password since the previously-reported breach. It confirmed the action in a blog post, in which it added: "We have demanded that parties cease​ making stolen password data available​ and will evaluate potential legal action if they fail to comply. In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts."

Follow me on TwitterCheck out my websiteSend me a secure tip
Thomas Brewster
Thomas Brewster