LinkedIn confirms logins of 117 million members were stolen in 2012

Spread the love

LinkedIn has said it believes the database of 117 million LinkedIn users’ credentials to be genuine. The database was offered for sale on the internet for 5 bitcoins, converted about 2000 euros.

LinkedIn has decided to reset users’ passwords if they created their account before the 2012 hack and haven’t changed their passwords since. With this measure, the company is responding to the online appearance of the database with data, originating from a hack that took place in 2012. After the hack, it appeared that 6.5 million credentials had been stolen as they appeared on a Russian site. Now it turns out that there is much more data involved. The data concerns 117 million combinations of usernames and passwords, which are hashed with sha1 without salt and are therefore fairly easy to crack.

A LinkedIn spokesperson told security researcher Brian Krebs that the company now owns the database and assumes that it is indeed data from its users. In addition, there are ‘no indications that the data originates from a new security incident’. LinkedIn is still investigating how many of those users are still active.

Krebs asked the company why it didn’t choose to reset all users’ passwords in 2012. The spokesperson replied that “the company was doing what seemed the best option for the users at the time, by protecting those affected and not disrupting the LinkedIn experience of other users.” It is unclear whether LinkedIn had any clues at the time showing that the hack was actually large in scope.

LinkedIn says in its blog post to inform affected users about resetting their passwords and adds that it is generally wise to change passwords regularly. In 2013, the service introduced two-factor authentication, which allows an additional layer of security to be added to an account. The service states that it has asked the providers of the database to remove it from the internet and says it is considering legal action if they do not comply with the request.

Apart from LinkedIn’s password reset, several security companies point out that it is wise for all users of the site to change their password. This also applies if the same password is used for accounts on other sites. The 117 million credentials are currently not searchable via the ‘have I been pwned’ site, where users can check whether their email address or username is among data stolen from various hacks.

You might also like
Exit mobile version