A hacker known in the Dark Web as “Peace” is trying to sell the account information, including login credentials, of 117 million LinkedIn users.
The social network admitted to the massive data breach after the hacker offered the stolen data for sale. According to a new report from Motherboard, the trove of stolen emails, passwords and accounts is available at an asking price of 5 Bitcoin, which converts to about $2,300.
Back in 2012, LinkedIn admitted to a single sizeable data breach that compromised millions of accounts and forced a password reset for only affected users. At the time, it was reported that approximately 6.5 million encrypted passwords were compromised, but LinkedIn never actually clarified how many users were affected by that breach.
Now it appears that the data breach was significantly larger than we thought. The social networking firm confirmed this week that roughly 117 million users were affected.
In 2012, LinkedIn responded by forcing a password reset on the smaller number they had previously reported, and that’s where their response stopped. However, it is likely that a meaningful percentage of the 110 million uninformed victims have not changed their passwords since then. Those accounts remain vulnerable. Motherboard also reported that 90 percent of the stolen passwords were cracked within 72 hours, and some of the victims continue using their 2012 passwords.
In a puzzling move, LinkedIn’s response to this most recent breach is once again to force a password reset for only a subset of users.
“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,” wrote Cory Scott, in a post on the company’s blog. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.”
If you have a LinkedIn account and haven’t changed your password in a while, what the heck are you thinking? Log on and change it now. And while you’re at it, if you haven’t changed your password for your bank, your Facebook or Twitter accounts, and any online automated payment accounts, what are you waiting for?
And, for the love of all things electronic, stop using the same password at multiple sites.
You’ve been reading about cybercrime for a long time now. You know better. Just stop.