LinkedIn Hacked — 167 Million Accounts for Sale on Dark Web


UPDATE: CSO reports that the LinkedIn data breach has been connected to a series of data breaches that occurred shortly after, including Citrix’s GoToMyPC and TeamViewer. A list of LinkedIn users’ names, work history and passwords obtained in the initial breach provided the information needed for hackers to gain access into other secondary networks.

What should you do?

  • Avoid using the same password for multiple sites.
  • Change your passwords every 90 days.
  • Create passwords with a minimum of 8 characters and a variety of capital and lowercase letters, symbols and numbers.

What happened? 

Account information of 117 million LinkedIn users has surfaced on the online black market. The hacker responsible is seeking 5 bitcoins ($2,200 USD) for the database of users’ email addresses and encrypted passwords. 

An additional 50 million LinkedIn email addresses, without passwords, are also for sale.

The information was apparently stolen during the 2012 LinkedIn data breach. Following the breach, 6.5 million encrypted passwords were posted online. Within weeks, 200,000 of the encrypted passwords were successfully decoded.

LinkedIn never specified the full extent of that breach. However, LinkedIn now acknowledges this as a credible threat and is re-investigating the matter.

“It appears that more [accounts] had been taken then, and just posted now,” spokesman Hani Durzy said in a statement to Bloomberg. “We are still determining how many of these are still active and accurate, since the data would be about four years old now.”

It is important to note that while the passwords are older and encrypted, it does not mean they are secure.

LeakedSource, a search tool designed for breached information, analyzed a one-million-member sample of the exposed data. Within 72 hours of receiving the encrypted passwords, they were able to decode 90 percent of them.

Additionally, because no mass password-reset was mandated following the 2012 data breach, many users may still be at risk — especially if they have never changed their password.

What should you do?

LinkedIn members are urged to take the following actions to protect their accounts and professional networks.

  1. Change your password
    Passwords should be at least eight characters in length and include a complex mix of letters, numbers and symbols. Change your password frequently and never use the same password across multiple accounts.
  1. Watch for phishing emails
    Targeted phishing attacks are also expected to follow the LinkedIn data breach due to the exposure of email addresses. Never provide account information via email and be hesitant to click on links within them, especially if the email appears to be from LinkedIn.
  1. Be wary of what friends post
    With approximately 430 million LinkedIn users, this breach has the potential to impact nearly 30 percent of LinkedIn members. It’s likely someone impacted could be one of your connections. Be cautious of friends sharing suspicious links or requesting money or personal information — their account could be compromised and, thus, being used by someone who purchased their information on the dark web.
  1. Enable two-step verification
    Two-step verification requires username, password and a code sent directly to your mobile phone to access your account. This provides an additional layer of security while helping alert you if anyone attempts to take over your account.

For more information on adjusting your privacy settings, please visit our LinkedIn Privacy Settings Tutorial.

Fighting Identity Crimes will keep you updated as new information becomes available about the LinkedIn data breach. Be sure to subscribe to our blog to stay up-to-date with the latest identity theft and fraud news.

The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.

John is General Counsel and Chief Privacy Officer of Sontiq, the parent company of the EZShield and IdentityForce brands. He is a Certified Compliance...
Read more about John Burcham.

Leave a Comment.