According to a LinkedIn report, the 2012 hack which exposed nearly 6.5 million users has in fact affected 117 million accounts. As a result, the website announced that it would force all the potentially affected users to reset their passwords.
The company learned about the hack when an anonymous hacker posted 6.5 million encrypted LinkedIn passwords on a popular hacker-recruiting site. Fellow hackers cracked some of the passwords and learned that many of the passwords included the word ’linkedin.’
As a response, the business networking giant forced a password reset on all affected users. But no other measures were taken. In the meantime, another hacker had plans to sell login data of 117 million LinkedIn accounts on a cybercrime bazaar. The hacker said that the data was stolen during the 2012 leak.
Furthermore, the LeakedSource site now says it can allow its subscribers to search a database with the 117 million LinkedIn records for $4 per day.
The company said that it has recently became aware of another data set leaked in the 2012 data breach. The data set reportedly contains password data and e-mail addresses linked to more than 100 million accounts. As a result, a password reset will be forced upon all the affected users. The site did not link the newly discovered data set to a new cyber attack.
Moreover, people familiar with the matter said that the company has a copy of the 117 million bits of stolen data, and the management believes the data are genuine. LinkedIn security experts are now sifting through the data set to learn which accounts are still active.
But independent cyber security experts believe that the company’s decision to force a password reset only onto a fraction of its user base could open the way to more attacks. LinkedIn argued in 2012 that it would not force all users to reset passwords in order not to disrupt their LinkedIn experience.
The site now has over 400 million registered accounts, of which just a quarter are used monthly.
Alex Holden of Hold Security was one of the experts who first discovered the 2012 breach. Holden recalls that are passwords were encrypted and unique. Additionally, the passwords couldn’t be cracked with conventional tools. Back then, Holden said he believed that the hacker disclosed only the passwords that he personally was not able to de-crypt, so there might be more.
Image Source: Flickr