LinkedIn says a 2012 hack of its site may have been far worse than it previously knew, with more than 100 million users having their email and password information stolen.
The company "become aware" on Wednesday of new data that claims to be "email and hashed password combinations of more than 100 million LinkedIn members" taken in the 2012 hack, according to a blog post by Cory Scott, the company's Chief Information Security Officer.
Scott said LinkedIn was "taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords."
Motherboard reported early Wednesday that a hacker identifying themselves as "Peace" had told them that the 117 million passwords and emails they were trying to sell were from the 2012 hack. Peace, Motherboard wrote, was selling the data for a mere $2,200 (and asking for payment in bitcoin, of course).
By the end of 2012, LinkedIn had just over 200 million accounts. By the end of 2011, Linkedin had 145 million members, meaning that more than half of the current users at the time of the hack had their information stolen, if the new claims are true. In 2012, when the hack was first discovered, just over 6 million were posted in a forum used by Russian hackers.
Scott recommended that LinkedIn users use two-step verification and use strong passwords.
In 2012, LinkedIn was the victim of an unauthorized access and disclosure of some members' passwords. At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure. Additionally, we advised all members of LinkedIn to change their passwords as a matter of best practice.
Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.
We take the safety and security of our members' accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible.