This piece of news might interest you if you have a LinkedIn account. A hacker is reportedly trying to sell a database dump that contains account records for 167 million users. Worried? Of course, you should–it could mean private data of a third of LinkedIn users, which could include yours is at stake.
Per the BBC, the hacker made the announcement on a black market website called TheRealDeal. The hacker reportedly wants 5 bitcoins or around $2,200 in exchange for the data set. If true, millions of user IDs, email addresses and SHA1 password hashes could be in danger of falling into wrong hands.
How legitimate is the hacker’s claim?
Have I been pwned? is a website that allows you to check if you were affected by known data leaks—and its owner believes that the chances the hacker’s claim is legitimate could be real after all. The creator of the website Troy Hunt reportedly has access to around 1 million records from the said data set.
Per PC World, Troy said via an email that: “I’ve seen a subset of the data and verified that it’s legit.”
Four years ago, LinkedIn had to reset some accounts that were breached—and current leak may not be unconnected with that because the company only dealt with affected accounts. The company announced at that time that it had reset all accounts it thought had been endangered.
Though, LinkedIn says it now plans to repeat the same measure on a much larger scale—which calls to question why the company failed to reset all accounts four years ago.
“We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords,” a spokeswoman for the California-based firm told the BBC.
“We have no indication that this is a result of a new security breach.
“We encourage our members to visit our safety centre to ensure they have two-step verification authentication and to use strong passwords in order to keep their accounts as safe as possible.”
Proof that leaked data was sourced from 2012 breach
A 2012 data breach affected 6.5 million LinkedIn users whose records and password hashes were posted online. While this is not official, there is a possibility that the 2012 data breach was actually larger than what was reported.
According to the administrator of a data leak indexing website LeakedSource, who is in possession of a copy of the data set; the records were sourced from the 2012 LinkedIn breach.
“Passwords were stored in SHA1 with no salting,” the LeakedSource administrators said in a blog post. “This is not what internet standards propose. Only 117m accounts have passwords and we suspect the remaining users registered using FaceBook or some similarity.”
Perhaps, the only way out of this breach—at least in the interim is to have all your passwords changed—and this is not just for your LinkedIn account. If you are fund of using the same password for multiple websites, you might need to have a rethink.
This might also be the best time to pay a quick visit to your LinkedIn account and have your password changed if you haven’t done so for a while.
Got something on your mind to say or add to this story? Share it in the comments section.
