A hacker claims to be selling the user names and passwords for more than 117 million LinkedIn users – a figure that represents more than a quarter of the career networking site’s users. A hacker using the name Peace confirmed the breach to the website Motherboard. The affected data is reported to be from a 2012 hack. At the time, LinkedIn confirmed the attack, but it was believed the data leaked was limited to 6.5 million users. It appears that initial attack was much worse, and compromised the personal data of a significantly higher number of users.
The user names and passwords are now for sale on the Dark Web for $2,200 each. The hack is linked to a group of Russian cyber criminals.
LinkedIn issued the following statement:
In 2012, LinkedIn was the victim of an unauthorized access and disclosure of some members’ passwords. At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure. Additionally, we advised all members of LinkedIn to change their passwords as a matter of best practice.
Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.
If you have an account on LinkedIn, you should immediately change your password. If you’ve used the same password on any other sites, you’ll need to change those, as well. It’s a good reminder that resume or career information you post to LinkedIn is not secure. From leaked passwords, to intense data mining and proliferation of user details, it seems the site may be better coined LinkedOut – because that’s exactly what’s happening to your data.