Millions of LinkedIn passwords up for sale on the dark web

Did you change your LinkedIn password after that massive 2012 leak of millions of passwords, which were subsequently posted online and cracked within hours?

If not, you better hop to it, most particularly if you reuse passwords on other sites (and please tell us you don’t – here’s why it matters!).

The news isn’t good: first off, what was initially thought to be a “massive” breach turns out to have been more like a massive breach that’s mainlining steroids.

At the time of the breach 4 years ago, “only” 6.5 million encrypted (but not salted!) passwords had been posted online.

But now, there are a way-more-whopping 117 million LinkedIn account emails and passwords up for sale.

As Motherboard reports, somebody going by the name of “Peace” says the data was stolen during the 2012 breach.

LinkedIn never did spell out exactly how many users were affected by that breach. In fact, LinkedIn spokesperson Hani Durzy told Motherboard that the company doesn’t actually know how many accounts were involved.

Regardless, it appears that it’s far worse than anybody thought.

Motherboard said that the stolen data’s up for sale on one site and in the possession of another.

The first is a dark web marketplace called The Real Deal that’s said to sell not only drugs and digital goods such as credit cards, but also hacking tools such as zero days and other exploits.

Peace has listed some 167 million LinkedIn accounts on that marketplace with an asking price of 5 bitcoin, or around $2,200.

The second place that apparently has the data is LeakedSource, a subscription-based search tool that lets people search for their leaked data. LeakedSource says it has 167,370,910 LinkedIn emails and passwords.

Out of those 167 million accounts, 117 million have both emails and encrypted passwords, according to Motherboard.

A LeakedSource operator told Motherboard’s Lorenzo Franceschi-Bicchierai that so far, they’d cracked “90% of the passwords in 72 hours.”

As far as verification goes, LinkedIn confirmed that the data’s legitimate.

Before it did so, Troy Hunt, a security researcher who maintains the breach notification site “Have I Been Pwned?,” reached out to some of the victims of the data breach.

Two of them confirmed that yes, the password he shared was indeed the one they’d been using at the time of the breach.

Motherboard says it’s confirmed with a third victim that the password plucked from the dataset was his current password. But he changed that password as soon as Hunt reached out to him.

Why those encrypted passwords were so easy to crack

LeakedSource has posted a list of what it says are the top most frequently used LinkedIn passwords.

They’re the usual suspects: “123456,” “linkedin,” “password,” etc. With the right technology, it takes less time to crack them than to type them in.

But even if they were devilishly&^%$tWisted???!!!,,,,, the passwords were still sitting ducks. That’s because while they were encrypted, they weren’t salted: a fact that gave rise to a $5 million class action lawsuit filed against LinkedIn for failing to use industry standard security practices to protect users’ personally identifiable information (PII).

A salt is a random string added to a password before it’s cryptographically hashed.

The salt isn’t a secret cryptographic key – indeed, it’s typically stored along with the final password hash – but instead serves to ensure that if two users pick the same password, they don’t end up with the same hash.

Salting also ensures that hash-cracking lists can’t be pre-computed from a dictionary. You’d have to pre-compute a hash list for each possible salt combined with each possible dictionary word: an infeasible prospect.

Salting is just the bare minimum level of protection LinkedIn should have used, the suit claimed.

That suit was settled in February 2015.

Soon after the June 2012 hack, LinkedIn said that passwords would be stored in salted hashed format. But that only pertained to passwords generated after the breach. Any passwords generated before the breach, and which haven’t since been changed, are not only sitting ducks: they’re unsalted sitting ducks.

For those who haven’t yet changed their passwords following the 2012 breach, there’s no time like the present to do it. And those who reuse those passwords on other sites and services should go change them there, too. And this time, make sure to use a unique password for each.

LinkedIn responds

On Wednesday, LinkedIn’s chief information security officer Cory Scott posted this blog post about the logins now up for sale:

Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.

Scott encouraged users to use two-factor authentication (2FA) – what it calls two-step verification (2SV) – and strong passwords. Its safety center has instructions on how to turn on 2SV.