<div dir="ltr"><a href="http://motherboard.vice.com/en_uk/read/another-day-another-hack-117-million-linkedin-emails-and-password">http://motherboard.vice.com/en_uk/read/another-day-another-hack-117-million-linkedin-emails-and-password</a><br><br><p>A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users.
</p><p>The hacker, who goes by the name “Peace,” told Motherboard that
the data was stolen during the LinkedIn breach of 2012. At the time,
only around 6.5 million encrypted passwords <a href="http://www.pcworld.com/article/257045/security/6-5m-linkedin-passwords-posted-online-after-apparent-hack.html" target="_blank">were posted online</a>, and LinkedIn <a href="https://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised" target="_blank">never clarified</a> how many users were affected by that breach.
</p><p>Turns out it was much worse than anybody thought.
</p><p>Peace is selling the data on the dark web illegal marketplace <a href="https://motherboard.vice.com/tag/The+Real+Deal" target="_blank">The Real Deal</a> for 5 bitcoin (around $2,200). The paid hacked data search engine <a href="https://www.leakedsource.com/" target="_blank">LeakedSource</a> also <a href="https://www.leakedsource.com/blog/linkedin" target="_blank">claims</a>
to have obtained the data. Both Peace and the one of the people behind
LeakedSource said that there are 167 million accounts in the hacked
database. Of those, around 117 million have both emails and encrypted
passwords.
</p><p>“It is only coming to the surface now. People may not have taken
it very seriously back then as it was not spread,” one of the people
behind LeakedSource told me. “To my knowledge the database was kept
within a small group of Russians.” <br></p><p>LeakedSource provided Motherboard with a sample of almost one million
credentials, which included email addresses, hashed passwords, and the
corresponding hacked passwords. The passwords were originally encrypted
or hashed with the SHA1 algorithm, with no “salt,” which is a series of
random digits attached to the end of hashes to make them harder to be
cracked.
</p><p>One of the operators of LeakedSource told Motherboard in an
online chat that so far they have cracked “90% of the passwords in 72
hours.”
</p><p>Troy Hunt, a security researcher who maintains <a href="https://motherboard.vice.com/read/the-rise-of-have-i-been-pwned-an-invaluable-resource-in-the-hacking-age-troy-hunt" target="_blank">the breach notification site</a> “<a href="https://haveibeenpwned.com/" target="_blank">Have I Been Pwned?</a>,”
reached out to some of the victims of the data breach. Two of them
confirmed to Hunt that they indeed were users of LinkedIn and that the
password he shared with them was the one they were using at the time of
the breach. Motherboard was able to confirm a third victim.
</p><p>One of the victims told Motherboard that the password in the
sample was their current one, though he changed it as soon as Hunt
reached out no notify him of the breach.
</p><p>“Having a password out there feels like someone being able to let
themselves in to your private space whenever they like, without you
knowing,” the victim, who asked to remain anonymous, said in an email.
</p><p>When reached for comment on Tuesday, LinkedIn spokesperson Hani
Durzy told Motherboard that the company’s security team was looking into
the incident, but that at the time they couldn’t confirm whether the
data was legitimate. Durzy, however, also admitted that the 6.5 million
hashes that were posted online in 2012 were not necessarily all of the
passwords stolen.
</p><p>“We don’t know how much was taken,” Durzy told me in a phone call.
</p><p>The lesson: For LinkedIn, the lesson is the same as four years
ago: don’t store passwords in an insecure way. As for LinkedIn users, if
you didn’t already change your password four years ago, change it
again, especially if you use it on other services (and please stop
reusing passwords).
</p><p>“The prevalence of password reuse means we’ll see that unlock other accounts too,” Hunt told me.
</p><p class="">Another lesson is that even old hacked data can sometimes be valuable, given that some of these passwords might still be valid.
</p><p><strong>UPDATE, May 18, 12:32 p.m. ET</strong>: LinkedIn confirmed on Wednesday that the new data is legitimate. </p><p>“Yesterday,
we became aware of an additional set of data that had just been
released that claims to be email and hashed password combinations of
more than 100 million LinkedIn members from that same theft in 2012,“
the company's chief information security officer Cory Scott wrote in <a href="https://blog.linkedin.com/2016/05/18/protecting-our-members" target="_blank">a blog post</a>.
“We are taking immediate steps to invalidate the passwords of the
accounts impacted, and we will contact those members to reset their
passwords. We have no indication that this is as a result of a new
security breach.“
</p><p>Scott also encouraged users to use <a href="https://www.linkedin.com/help/linkedin/safety/4026/4027/531?trk=li_corpblog_corp_security" target="_blank">two-factor authentication</a> and use strong passwords. </p><br></div>