LinkedIn account details including names, emails and passwords were originally stolen in 2012, but reportedly remain up for sale
LinkedIn users are being urged to change their passwords after the revelation that around 117 million account details, including email addresses and passwords, are up for sale.
The data is reportedly being offered to the highest bidder by a hacker who claims he was responsible for the theft four years ago.
The hacker, known as “Peace,” contacted technology site Motherboard this week to offer the details, which are up for sale for five Bitcoins (around £1564) on dark web site The Real Deal.
Peace claims that that the data was stolen during a breach of LinkedIn back in 2012, in which around 6.5 million encrypted passwords were posted online.
However the site never clarified how many users were affected by that breach, and when contacted by Motherboard for comment, a LinkedIn spokesperson said that the passwords posted online in 2012 were not necessarily all of those affected.
LinkedIn spokesperson Hani Durzy told Motherboard that the company’s security team was looking into the incident, but that at the time they couldn’t confirm whether the data was legitimate.
The database was also found on paid hacked data search engine LeakedSource, which claimed to have 167m accounts available, and as proof provided Motherboard with a sample of almost one million credentials including email addresses, hashed passwords, and the corresponding hacked passwords.
LinkedIn has been criticised across the security industry for its lax approach to user protection, with the company apparently underestimating just how big the 2012 breach was.
The social network also apologised and enlisted the help of the FBI in the matter, but that did not stop a class action lawsuit, which ultimately cost LinkedIn $1.25m (£810,000) in settlements last year.
“The LinkedIn breach goes to show how a single significant breach can come back to haunt a business (and its customers) again and again,” said Rob Sobers, director at Varonis.
“It also highlights just how in-the-dark companies typically are after a breach. After a breach occurs we usually see a statement claiming that the security team has “isolated the affected systems,” but seasoned security researchers know that far too often the scope and severity of a breach is indeterminable due to a lack of comprehensive monitoring and logging.”
Are you a security guru? Try our quiz!