LinkedIn’s chief information security officer Cory Scott announced Wednesday in a blog post that a hacker recently released 167 million account records as a result of a security breach from 2012. The usernames and passwords stolen have been offered for sale for around $2,200 (5 bitcoins) on the dark web, where people can take part in illegal businesses as they browse anonymously.
The database dump containing the account information of 167,370,940 LinkedIn users was announced on TheRealDeal, a dark market website, as reported by PC World. The data set reportedly includes email addresses, user IDs and SHA1 password hashes.
Vice Motherboard reported that a hacker told the website that the database dump, which includes 117 million log-in credentials belonging to members of the professional networking site, was part of the information obtained during the 2012 breach.
Scott wrote in the blog post that nothing indicates there’s a new unauthorized disclosure and said LinkedIn required a mandatory password reset for all accounts affected. He added that the company recommended all users to change their passwords in order to protect their accounts.
Scott said the company advised its customers to visit its safety center to learn how to activate two-step verification and to use the strongest passwords they could think of. He remarked that LinkedIn had set additional layers of security, including dual factor authentication and email challenges.
An update on protecting our members: https://t.co/4a6EJW1JKJ
— LinkedIn (@LinkedIn) May 18, 2016
“We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords”, Scott added, saying that the company became aware of the situation on Tuesday.
Have I been pwned? Is a website that allows users check if their account information has been compromised by data breaches. Troy Hunt, the site’s creator, told PC World via email that he had seen roughly 1 million records from the data set and verified the leak was legitimate.
Hunt added that many LinkedIn members affected by this breach are likely to have used the same passwords in other places on the Web, which is why they should change them as soon as possible, particularly if they haven’t changed them in a long time.
The account information released in 2012 was posted to a Russian hacker site, affecting 6.5 million users. Last year, the company faced a class-action lawsuit, which was resolved as LinkedIn agreed to compensate 800,000 members who had paid for its premium services, according to a report by The New York Times.
Source: PC World