Login details were available for sale on the dark Web in exchange for a $2,200 bitcoin price. There are 167 million accounts for sale, but only 117 million were determined to have corresponding email and password information.
The stolen identification information was derived from a breach on LinkedIn four years ago.
LinkedIn enforced a mandatory password reset at the time of the 2012 breach for those affected, but the hack at that time was considered to be a fraction of the size. In 2012 it was believed that only 6.5 million accounts were hacked, while recent news reveals it was actually 18 times that number.
To further exacerbate the issue, the 2012 passwords were stored as unsalted SHA-1 hashes -- meaning that they are more easily cracked by cybercriminals. Indeed, Motherboard asserts that upwards of 90% of the passwords were cracked within 72 hours.
LinkedIn confirmed the breach in an email statement, and acknowledged that it was actively investigating the issue and reaching out to users who may be affected. Over the past four years, LinkedIn has significantly strengthened security measures, but these would be obviously unavailable if the hack does indeed originate from 2012.
“We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach,” the company said in a statement about the news.
For those who are concerned, it would be advisable to alter their LinkedIn log-on credentials and any other digital accounts that may use the same password.