The 2012 LinkedIn data breach was believed to have resulted in the theft of 6.5 million emails and encrypted passwords; however, the data breach appears to be worse than previously thought with considerably more data stolen. Those data have now been listed for sale on a darknet marketplace, prompting LinkedIn to contact a substantial percentage of its users to get them to change their passwords.

117 Million Unsalted SHA-1 Hashes and Corresponding Usernames from 2012 LinkedIn Data Breach Listed for Sale

A hacker called “Peace” listed 117 million LinkedIn email and encrypted password combinations for sale this week. LinkedIn believes the data has also come from the 2012 LinkedIn data breach. The data were in the same format as the 6.5 million passwords and email combinations that were previously listed for sale. The latest batch of data has been listed or sale for a reported $2,200.

The passwords stolen in the 2012 LinkedIn data breach were unsalted SHA-1 hashes. While the passwords are encrypted, they are poorly protected and can easily be cracked with relative ease.

Soon after the 2012 LinkedIn data breach the 6.5 million account details were offered for sale on a Russian hacking forum. Motherboard reports that as many as 90% of those passwords were able to be cracked. This now places 18 times as many users at risk of having their accounts compromised.

LinkedIn users that joined the professional networking website after the 2012 data breach will not be affected by the data sale, although older users of the site could be at risk, especially if the password they used for their LinkedIn account has been used other logins elsewhere online.

Individuals who tend to use the same passwords on multiple websites or those who recycle old passwords are advised to change their passwords on their banking websites, social media profiles, email accounts, and other online sites if there is a possibility that they have used the same password as they used on LinkedIn prior to the 2012 breach.

The 2012 LinkedIn data breach was possible because security at the time was not particularly robust, although that has since been addressed. LinkedIn now salts its hashes, uses two factor authentication, and also email challenges. Since being alerted to the listing of the password/username combos, LinkedIn has been contacting affected users and attempting to invalidate passwords and force users to reset.

It is strongly advisable to login to LinkedIn and change your password as a precaution if you are unsure whether you have changed your password since 2012.