A hacker is trying to sell one hundred million Linkedin (NYSE: LNKD) logins for sale. The IDs were reportedly sourced from a break on the website four years ago. Linkedin thought it had reset the accounts of those affected. Originally Linkedin though that 6.5 million users were affected. Now the company has to reset the accounts of the remaining users affected. Linkedin is used to find career opportunities and send work-related messages.
According to the news site the Motherboard, the hacker who is named “Peace,” is selling the data on the marketplace website, The Real Deal for 5 bitcoin (which is around $2,200). The Motherboard also explains on that another website Leaked Source also claims to have obtained the data. According to The Motherboard there are 167 million accounts in the hacked database and out of those 117 million have both emails and encrypted passwords.
A Linkedin rep spoke with the BBC and told them that, “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords.” “We have no indication that this is a result of a new security breach.” “We encourage our members to visit our safety center to ensure they have two-step verification authentication and to use strong passwords in order to keep their accounts as safe as possible.”
One of the people behind Leaked Source spoke with the Motherboard and told them that “It is only coming to the surface now. People may not have taken it very seriously back then as it was not spread. To my knowledge the database was kept within a small group of Russians.
When the breach first occurred a file of then only 6.5 million encrypted passwords was posted to an online forum in Russia. Linkedin responded by invalidating all the affected accounts. According to Motherboard they found a user who still uses the same password that is in the batch.
Troy Hunt, a security research and owner of “Have I Been Pwned” spoke with the BBC and told them that “I’ve personally verified the data with multiple subscribers [of my own site].”
“They’ve looked at the passwords in the dump and confirmed they’re legitimate.” The problem Linkedin faced came from that passwords were originally “hashed” and not “salted” before storing them. Hashing uses an algorithm to convert passwords into a long string of digits. Salting is an extra step to prevent hackers from getting through hashed passwords.
Linkedin’s chief information security officer Cory Scott wrote in a blog post that “yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed passwords combinations of more than 100 million Linkedin members from that same theft in 2012.”
“We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indicated that this is as a result of a new security breach.
Scott encourages users to check out their safety center online and learn about two-step verification and the use of strong passwords.