LinkedIn’s 2012 Data Breach Strikes Back In Delayed Reaction As 117 Million Users Are Exposed

If you haven't changed your LinkedIn password in several years, now would be a good time to get on that. Not only is it good practice to change passwords much more frequently than that, there's a chance that your login details were compromised four years ago and are just now being shopped around in an underground marketplace.

A hacker who goes by the name "Peace" is shopping around account information of 117 million LinkedIn users. The data was stolen during a security breach at LinkedIn in 2012, at which time around 6.5 million encrypted passwords were posted to the web. LinkedIn never said how people were affected by the data breach, and in this day and age where major hacks occur with frightening frequency, it was quickly forgotten. If only it had stayed that way.

LinkedIn Building

The entire batch of stolen accounts is listed at an illegal marketplace for 5 Bitcoins, which works out to $2,200 in U.S. currency. It includes mostly cracked accounts—while the passwords were originally encrypted, Peace and others involved with the sale of the data claim to have figured out the passwords for 90 percent of the accounts, a feat they achieved in three days time.

So, why is this only coming to light right now even though it happened four years ago?

"It is only coming to the surface now. People may not have taken it very seriously back then as it was not spread. To my knowledge the database was kept within a small group of Russians," one of the people involved with the sale of the stolen data told Motherboard.

A spokesperson for LinkedIn initially said that the incident was currently being looked into and later confirmed that the stolen data is legitimate.

"Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach," LinkedIn stated in a blog post.

In addition, LinkedIn is trying to get Peace and company to remove the listing with the threat of legal action.