LinkedIn says that it is moving quickly to deal with the release of data from a 2012 security breach, which could include 117 million passwords.
A hacker is reportedly looking to sell a package containing account records for 167 million LinkedIn users on the darknet. Some 117 million of the accounts are said to contain “hashed” passwords, which use an algorithm to protect the password.
The darknet refers to private networks built from connections between trusted peers using unconventional protocols. Darknets are just one part of what is known as deep web – a vast network which is not indexed by search engines such as Google and Bing.
In a blog post Wednesday, LinkedIn said that it became aware of the released data Tuesday, noting that it purportedly contains “email and hashed password combinations for more than 100 million LinkedIn members” from the 2012 breach. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords,” said LinkedIn’s Chief Information Security Officer Cory Scott.
In a subsequent post, LinkedIn said that it has started to invalidate passwords for all accounts created prior to the 2012 breach that haven’t updated their password since that breach. “We will be letting individual members know if they need to reset their password,” explained Scott. “However, regularly changing your password is always a good idea andd you don’t have to wait for the notification.”
“We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply,” he added. “In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.”
With regard to the 117 million passwords, a LinkedIn spokeswoman told FoxNews.com that the company is “working to determine how many of what is purported to be available in this data set are current and/or active.”
Digital Trends notes that only 6.5 million LinkedIn passwords were leaked to the Internet following the 2012 breach. However, security experts say there is evidence that the latest sale is using records accessed in the 2012 attack.
The haul of LinkedIn data is reportedly on sale for $2,200.
Tod Beardsley, security research manager at cybersecurity specialist Rapid7, told FoxNews.com that the most valuable data in the LinkedIn compromise may not be the passwords at all, but the enormous registry of email addresses connected to working professionals. “Spammers rely on accurate, active email addresses to target, and the low price tag of 5 Bitcoin (approximately $2,200) is likely to generate significant interest from today's spam industry,” he explained. “While people's passwords can and should change routinely, email addresses and usernames persist for years without easy mechanisms to change them.”
Selling off additional data is regular practice by cybercriminals, according to Amit Ashbel, director of product marketing at application security specialist Checkmarx. “Once they manage a large hack they will always save something for a rainy day,” he said, via email. “The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder.”
Follow James Rogers on Twitter @jamesjrogers