Over 117 million LinkedIn user logins are for sale on the black market “The Real Deal” by hacker “Peace” for five Bitcoins ($2,280). The breach is tied to an earlier hack on LinkedIn in 2012, when the company originally said 6.5 million accounts had been compromised.
The hacker, identified as Peace, claims the the data includes user IDs, email addresses and hashed passwords (SHA1) for LinkedIn users. Peace is advertising the sale of LinkedIn data for 167 million accounts. A second source that includes the data and breach search service called LeakedSource claims it’s familiar with the data and said 117 million of the records for sale by Peace include email address and unsalted SHA1 hashed passwords.
The publication Motherboard is reporting that operators of LeakedSource were able to crack “90 percent of the passwords in 72 hours” or 117 million accounts. Noted security researcher Troy Hunt, via his Twitter account said he has seen and verified authenticity of portions of the username and passwords adding “It’s highly likely to be legit” data.
At the time of the initial 2012 breach LinkedIn said it invalidated the passwords of “all affected users,” which at the time the company said was 6 million accounts out of 140 million.
“Unfortunately, it would seem that password reset fell short of what we now know to be over a hundred million accounts,” said Tod Beardsley, security research manager at Rapid7.
Beardsley and other security firms say the cache of compromised 4-yeear-old account passwords may have limited worth among hackers, and the real value is with a treasure trove of valid user email addresses. “The most valuable data in the LinkedIn compromise may not be the passwords at all, but the enormous registry of email addresses connected to working professionals,” Beardsley said.
LinkedIn did not reply to a request for comment from Threatpost. On Wednesday Cory Scott, chief information security officer for LinkedIn, posted a statement on the report.
“In 2012, LinkedIn was the victim of an unauthorized access and disclosure of some members’ passwords. At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure. Additionally, we advised all members of LinkedIn to change their passwords as a matter of best practice.
Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.
We take the safety and security of our members’ accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible.“
For Adam Levin, chairman and founder of IDT911, the release of the compromised account data illustrate the current and future impact a data breach can have on a company, employees and customers.
“The ripple effects of a data breach may well continue for years to come,” Levin said. He said email address and passwords are at the foundation of digital identities, containing names, birthday and address. “These become tiny breadcrumbs that hackers can piece together to access even more sensitive information,” he said.