117M hacked LinkedIn logins for sale on dark web

A hacker is attempting to sell the account information of 117 million LinkedIn users stolen as part of a 2012 breach that appears much worse than originally thought.

“Yesterday, we became aware of an additional set of data that had just been released,” the company said in a statement Wednesday. “We have no indication that this is as a result of a new security breach.”

{mosads}Around 6.5 million passwords were posted online when the breach occurred in 2012, although LinkedIn never confirmed the scope of the breach. The company rolled out a mandatory password reset for all accounts it believed were compromised.

Now, the information for an additional 100 million accounts is for sale on an illegal dark web marketplace for 5 bitcoin, or $2,200, according to Motherboard. Security researchers who have reviewed the data say it is likely legitimate.

A LinkedIn spokesman confirmed to Motherboard that the 6.5 million passwords originally released were not necessarily all of the stolen data.

“We don’t know how much was taken,” Hani Durzy told the publication.

Although the exposed passwords are encrypted, they were protected with a weaker algorithm that makes them easier to crack. The passwords were “hashed” — converted to a string of numbers — but not “salted,” which adds a few random characters specific to each user to the end of every password.

One of the operators of a hacked data search engine told Motherboard that they cracked “90% of the passwords in 72 hours.” 

LinkedIn said Wednesday that it has been salting its passwords “for several years.”

The company says it is invalidating the passwords of the accounts impacted and contacting affected members to reset their passwords.

But security experts are advising all users of the site to change their passwords and replace any payment cards associated with their account.