Quite literally, every day someone gets hacked. Whether that’s a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another.
A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users.
The hacker, who goes by the name “Peace,” told Motherboard that the data was stolen during the LinkedIn breach of 2012. At the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach.
Turns out it was much worse than anybody thought.
Peace is selling the data on the dark web illegal marketplace The Real Deal for 5 bitcoin (around $2,200). The paid hacked data search engine LeakedSource also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords.
“It is only coming to the surface now. People may not have taken it very seriously back then as it was not spread,” one of the people behind LeakedSource told me. “To my knowledge the database was kept within a small group of Russians.”
LeakedSource provided Motherboard with a sample of almost one million credentials, which included email addresses, hashed passwords, and the corresponding hacked passwords. The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked.
One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours.”
Troy Hunt, a security researcher who maintains the breach notification site “Have I Been Pwned?,” reached out to some of the victims of the data breach. Two of them confirmed to Hunt that they indeed were users of LinkedIn and that the password he shared with them was the one they were using at the time of the breach. Motherboard was able to confirm a third victim.
One of the victims told Motherboard that the password in the sample was their current one, though he changed it as soon as Hunt reached out no notify him of the breach.
“Having a password out there feels like someone being able to let themselves in to your private space whenever they like, without you knowing,” the victim, who asked to remain anonymous, said in an email.
When reached for comment on Tuesday, LinkedIn spokesperson Hani Durzy told Motherboard that the company’s security team was looking into the incident, but that at the time they couldn’t confirm whether the data was legitimate. Durzy, however, also admitted that the 6.5 million hashes that were posted online in 2012 were not necessarily all of the passwords stolen.
“We don’t know how much was taken,” Durzy told me in a phone call.
The lesson: For LinkedIn, the lesson is the same as four years ago: don’t store password in an insecure way. As for LinkedIn users, if you didn’t already change your password four years ago, change it again, especially if you use it on other services (and please stop reusing passwords).
“The prevalence of password reuse means we’ll see that unlock other accounts too,” Hunt told me.
Another lesson is that even old hacked data can sometimes be valuable, given that some of these passwords might still be valid.