Skip to content
Naked Security Naked Security

Millions of LinkedIn passwords up for sale on the dark web

Darn cheap, too: the whole lot was priced at about $2,200. LinkedIn has confirmed that the data is legitimate.

Did you change your LinkedIn password after that massive 2012 leak of millions of passwords, which were subsequently posted online and cracked within hours?

If not, you better hop to it, most particularly if you reuse passwords on other sites (and please tell us you don’t – here’s why it matters!).

The news isn’t good: first off, what was initially thought to be a “massive” breach turns out to have been more like a massive breach that’s mainlining steroids.

At the time of the breach 4 years ago, “only” 6.5 million encrypted (but not salted!) passwords had been posted online.

But now, there are a way-more-whopping 117 million LinkedIn account emails and passwords up for sale.

As Motherboard reports, somebody going by the name of “Peace” says the data was stolen during the 2012 breach.

LinkedIn never did spell out exactly how many users were affected by that breach. In fact, LinkedIn spokesperson Hani Durzy told Motherboard that the company doesn’t actually know how many accounts were involved.

Regardless, it appears that it’s far worse than anybody thought.

Motherboard said that the stolen data’s up for sale on one site and in the possession of another.

The first is a dark web marketplace called The Real Deal that’s said to sell not only drugs and digital goods such as credit cards, but also hacking tools such as zero days and other exploits.

Peace has listed some 167 million LinkedIn accounts on that marketplace with an asking price of 5 bitcoin, or around $2,200.

The second place that apparently has the data is LeakedSource, a subscription-based search tool that lets people search for their leaked data. LeakedSource says it has 167,370,910 LinkedIn emails and passwords.

Out of those 167 million accounts, 117 million have both emails and encrypted passwords, according to Motherboard.

A LeakedSource operator told Motherboard’s Lorenzo Franceschi-Bicchierai that so far, they’d cracked “90% of the passwords in 72 hours.”

As far as verification goes, LinkedIn confirmed that the data’s legitimate.

Before it did so, Troy Hunt, a security researcher who maintains the breach notification site “Have I Been Pwned?,” reached out to some of the victims of the data breach.

Two of them confirmed that yes, the password he shared was indeed the one they’d been using at the time of the breach.

Motherboard says it’s confirmed with a third victim that the password plucked from the dataset was his current password. But he changed that password as soon as Hunt reached out to him.

Why those encrypted passwords were so easy to crack

LeakedSource has posted a list of what it says are the top most frequently used LinkedIn passwords.

They’re the usual suspects: “123456,” “linkedin,” “password,” etc. With the right technology, it takes less time to crack them than to type them in.

But even if they were devilishly&^%$tWisted???!!!,,,,, the passwords were still sitting ducks. That’s because while they were encrypted, they weren’t salted: a fact that gave rise to a $5 million class action lawsuit filed against LinkedIn for failing to use industry standard security practices to protect users’ personally identifiable information (PII).

A salt is a random string added to a password before it’s cryptographically hashed.

The salt isn’t a secret cryptographic key – indeed, it’s typically stored along with the final password hash – but instead serves to ensure that if two users pick the same password, they don’t end up with the same hash.

Salting also ensures that hash-cracking lists can’t be pre-computed from a dictionary. You’d have to pre-compute a hash list for each possible salt combined with each possible dictionary word: an infeasible prospect.

Salting is just the bare minimum level of protection LinkedIn should have used, the suit claimed.

That suit was settled in February 2015.

Soon after the June 2012 hack, LinkedIn said that passwords would be stored in salted hashed format. But that only pertained to passwords generated after the breach. Any passwords generated before the breach, and which haven’t since been changed, are not only sitting ducks: they’re unsalted sitting ducks.

For those who haven’t yet changed their passwords following the 2012 breach, there’s no time like the present to do it. And those who reuse those passwords on other sites and services should go change them there, too. And this time, make sure to use a unique password for each.

LinkedIn responds

On Wednesday, LinkedIn’s chief information security officer Cory Scott posted this blog post about the logins now up for sale:

Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.

Scott encouraged users to use two-factor authentication (2FA) – what it calls two-step verification (2SV) – and strong passwords. Its safety center has instructions on how to turn on 2SV.

2 Comments

Now the hackers who got my data from the recent hack of the United States government can cross reference that data with the employment dates they got from the LinkedIn hack.

A comment in the FB post for this article asks: “So…how do we know [if the email is] legitimately LinkedIn and not some random phishing attempt??” … … … … I think people might find this list useful when checking if emails could be fraudulent or ‘phishing’ emails :-
1) There is often bad spelling and grammar in the fraudulent emails and sites;
2) .. if you hover your mouse pointer over the links in the email, the *actual suspicious addresses are shown at the bottom of the screen;
3) .. if you have a personal relationship with the usual sender (friend or family, client etc.) they will probably use your name, and not a generic form like ‘Dear customer’;
4) .. a legitimate business would be extremely unlikely to ask in an email for your passwords, account details, or credit card details;
5) .. the style and content of the email is often different to what you have come to expect from the usual sender;
6) .. if you can check the full headers in a suspicious email, all the internet addresses in the route are revealed (with two letter country codes); .. they will probably be different to what you would find in an email from the real friend, business, etc.
… … … [ you’re welcome!]

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?