A major security breach of LinkedIn in 2012 saw a reported 6.5 million passwords stolen, and the hacker has now put these details up for sale online – but it’s worse than expected.
After the leak four years ago, LinkedIn asked its members to change their passwords, as well as the company resetting the passwords of any accounts which it thought had been breached by the hacker.
However, it appears that the scale of the problem is much worse than they thought at the time, with a total of 167 million accounts reportedly advertised online, albeit only 117 million of these have emails and hashed passwords included.
An independent security researcher, Troy Hunt, confirmed to the BBC that the leak appears to be legitimate. He said: “I’ve personally verified the data with multiple subscribers of ‘Have I been pwned’,” which is his website.
“They’ve looked at the passwords in the dump and confirmed they’re legitimate.”
Although passwords stored by LinkedIn are encrypted, the encryption wasn’t as secure as it should be. After ‘hashing’ the passwords, LinkedIn should ‘salt’ the passwords before storing them, but this failed to happen.
“We have begun to invalidate passwords for all accounts created prior to the 2012 breach that haven’t updated their password since that breach,” LinkedIn said in a blog post.
“We will be letting individual members know if they need to reset their password. However, regularly changing your password is always a good idea and you don’t have to wait for the notification.”
The professional networking site has more than 400 million members, with around 20 million of those being in the UK.