Reports indicate that a LinkedIn data breach may have led to the sale of sensitive data belonging to 117 million users.
According to Motherboard, the company’s website experienced a data breach in 2012, but the true consequences of the breach are only now becoming apparent.
Founded in 2002, LinkedIn catered for approximately 400 million users in 2015. The company provides a social network alternative for finding professional and work connections, sharing resumes and potentially finding new posts.
Users of LinkedIn’s website in 2012 discovered that roughly 6.5 million user account passwords were posted online, and the company never completely confirmed just who was impacted by the security incident.
However, a hacker called “Peace” told the publication that this information is being sold on the dark web for roughly $2,200, and paid hacker data search engine LeakedSource also claims to have the data. Both sources say there are approximately 167 million accounts in the data dump, 117 million of which have both emails and encrypted passwords.
Encrypted the passwords may be, but as they were hashed with the SHA1 algorithm which contains no salting to make cracking easier, LeakedSource has been able to crack roughly 90 percent of the passwords in only a matter of days.
Security expert Troy Hunt, operator of the Have I been pwned search engine, reached out to several of the victims who confirmed the leaked credentials were legitimate.
LinkedIn says the company is investigating.
Users of the professional networking service should change their passwords as soon as possible, and should also consider doing the same for any other accounts you own using the same credentials.