Millions of LinkedIn users' passwords leaked in a massive breach in 2012 have turned up for sale this week on a dark web market site for about 5 bitcoin, or approximately $2,200. It was intially reported that the security breach affected only 6.5 million users, but media reports Wednesday said 167 million accounts had been leaked, including 117 million featuring both emails and encrypted passwords.
Members who used the same password for LinkedIn and other sites might face the most risk. The hacker behind the privacy breach put the LinkedIn credentials up for sale this week on a dark web market known as the Real Deal. It's unknown how the dealer, who goes by the name Peace, obtained the information.
A LinkedIn spokesperson told Forbes the California-based company was investigating the breach and would reset passwords of affected users.
“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of LinkedIn members from that same theft in 2012,” a statement said. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is a result of a new security breach.”
Troy Hunt, a security expert, said LinkedIn users don't necessarily need to worry about someone changing their current job title or work history on the business-focused social media site. “The reality is, it’s a breach from four years ago, and some passwords won’t just be valid today, they’ll be valid across different sites,” Hunt said.
LinkedIn is used to send work-related messages, find networking contacts and explore career opportunities. Members often choose to make their activity on LinkedIn private because of the nature of the site.
Those who used the site at the time of the breach should change their LinkedIn password. If the same password was used on other sites, such as Facebook or a personal bank account, those passwords should be changed too.