LinkedIn's nightmare returns - hacker selling stolen emails and passwords of 117 Mn users

The scare of the 2012 LinkedIn hacks is back and this time it’s only bigger. The company announced that more than 100 million LinkedIn user emails and passwords have been released, and said that the platform is now working towards validating and contacting these users to reset their passwords on the website.

At the time of the leaks in 2012, only 6.5 million encrypted passwords were posted on a Russian hacker forum, from which thousands were quickly cracked.

Going by the name ‘Peace’, the hacker confirmed to the publication Motherboard that it is trying to sell this data on the dark web's illegal marketplace – The Real Deal – for around five bitcoin ($2,200 dollars). It is reported that while the total data set includes 167 million accounts, 117 million of them have e-mails and encrypted passwords tagging along.

LeakedSource, the paid search engine for hacked data, also seems to have gotten access to the data, with the database kept within a small group of Russians for so long. Operators of LeakedSource have also claimed to have cracked 90 percent of the passwords within 72 hours.

Originally encrypted or hashed with an SHA1 algorithm, the passwords were unsalted making them easier to be cracked. ‘Salt’ is a series of random digits added to the end of the hashes to make information harder to be cracked.

Confirming the news, LinkedIn released the following statement on their blog:

 In 2012, LinkedIn was the victim of an unauthorized access and disclosure of some members’ passwords. At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure. Additionally, we advised all members of LinkedIn to change their passwords as a matter of best practice.

Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.

We take the safety and security of our members’ accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible.

It is also said that in 2015, the Mountain View-based social network site agreed to settle a class-action lawsuit over its 2012 security breach. The lawsuit suggested that the company violated not just its privacy policy but also an agreement with premium subscribers on keeping their personal information safe.

A total of $1.25 million was paid to the victims breaking it to $50 per user to settle the lawsuit.

Hacking philosophy

Multiple cyber-security hacks in the last one year have shaken the world. Whether it is the Sony Pictures hack, which erased everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers, or the Panama Papers leak.

According to a data point, 90 percent of the healthcare organisations surveyed in the US had a data breach in the past two years, of which 45 percent had more than five breaches in that time period. The annual cost of dealing with these breaches was estimated at $6.2 billion.

But experts predict that the hacks of the future won’t just steal or delete information, but rather manipulate it to compromise its reliability. Further, it is predicted that cyber intrusions will increase through 'spearfishing' or using fake web links to get access to systems, while pretending to be someone else.

Therefore, it is suggested that companies patch their software to keep information segmented so that any hack onto the system won’t mean access to all data. We suggest you change your LinkedIn passwords for the moment, especially if you haven’t generated a new one in the last four years.