And is selling them on the dark web.
Online security is an ever-growing issue of our time, and now, the account information of over 117 million LinkedIn users may be circulating the dark web.
Hackers orchestrated a massive attack on the company back in 2012, and it was believed that about 6.5 million users were at risk. However, new information reveals that over 117 million users could be at risk.
On LinkedIn’s official blog, chief information security officer Cory Scott confirmed that, on May 17, the company became aware that an additional set of data from the 2012 attacks has just been released.
“We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords,” he wrote.
A hacker, who goes by the name “Peace,” actually spoke to Motherboard, admitting to putting the data up for sale on the dark web illegal marketplace called The Real Deal for 5 bitcoin (worth about $2,200).
A paid hacked data search engine, called LeakedSource, also claims to have obtained the LinkedIn data, amounting to 167 million accounts in the hacked database — 117 million of which include emails and encrypted passwords.
One of the operators of LeakedSource told Motherboard that they have cracked “90% of the passwords in 72 hours.”
However, LeakedSource’s blog reveals that over 753,000 LinkedIn members used the password “123456,” with “linkedin” and “password” coming in second and third place, so it’s no mystery how the hackers were able to complete the job so quickly. This serves as yet another reminder that we need to be mindful about making our passwords tricky to crack.
“It is only coming to the surface now. People may not have taken it very seriously back then as it was not spread,” one of the people behind LeakedSource said.
Scott has advised all LinkedIn users to change their passwords and enable a two-step verification feature which will send users a text message each time their account is accessed from an unknown device. They’ve published tips for safeguarding emails and passwords here.
The new security threat serves as a troubling reminder that even data breaches from several years ago can reemerge as a new problem.
“For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication,” Scott wrote. “We take the safety and security of our members' accounts seriously.”
You might also like: 25 Worst Passwords of 2015 Are Released