Millions of LinkedIn passwords put up for sale following 2012 hack


There's bad news for some LinkedIn users, as a ton of account details for the social network have just gone on sale, even though they were pilfered in a security breach that happened years ago.

You may recall the breach which happened in 2012 and apparently resulted in 6.5 million passwords being stolen, but it seems the true gravity of this incident is only now being realised.

Motherboard spoke to the hacker who has posted the fresh account details for sale online, and the individual known as 'Peace' claims there are no less than 167 million accounts involved, although only 117 million of these have both emails and hashed passwords.

Those are hugely worrying numbers, and unsurprisingly LinkedIn has already responded to this news with a blog post.

LinkedIn said it was aware of a new set of data which has just been released claiming to be the details of over 100 million accounts, and the social network is taking this very seriously, saying it is introducing "immediate steps to invalidate the passwords of the accounts impacted".

Those account owners will be contacted by LinkedIn to reset their passwords, so if you have been affected, you've probably already heard about it or will do very shortly.

Making a hash of it

LinkedIn also noted that back in 2012 at the time of the breach, its response included a mandatory password reset for accounts the social network believed to be compromised, but that number was far smaller than the true figure if this leak is indeed kosher. Which it certainly sounds like it is.

When this incident happened four years ago, LinkedIn got into trouble for failing to "salt" password hashes before storing them on servers, meaning even though the passwords obtained were encrypted, the encryption wasn't as watertight as it should have been.

This resulted in a class-action lawsuit being filed against the social media site, so it was quite a traumatic affair for LinkedIn all round – but the pain isn't over yet, it would seem.

In its blog post, LinkedIn reminded us that it now hashes and salts every password, and also urged members to make use of two-factor authentication which the site supports, to prevent an attacker from accessing an account even if they do manage to learn the password.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).