A four year-old data breach is back to haunt LinkedIn

A hacker is looking to sell the information of 117 million LinkedIn users stolen in 2012

When a security breach happens, there's nothing a company wants to do more than to put it behind them as quickly as possible, and for good reason. Who wants to constantly remind their users that their information might not be safe? Stolen data doesn't disappear so quickly, though.

That's a lesson LinkedIn is learning, with a years old incident now coming back to haunt it.

The email and hashed password combinations of more than 100 million LinkedIn members have been released, company announced on Wednesday. The data came from an incident that occurred four years ago, when the company was hacked all the way back in 2012. The company says the information that is being sold is not the result of a new breach. 

While the company did not give an exact figure on how many accounts were affected, a report out from Motherboard pegs it at a total of 117 million users have had their information put up for sale, out of 167 million accounts that are in the dataset. 

The hacker, who goes by the name “Peace,” is selling the data on the dark web illegal marketplace The Real Deal for 5 bitcoin (around $2,200).

The huge number of users raises some questions, since it was originally reported that only 6.5 million users had had their data accessed. 

Vator reached out to LinkedIn to find out if the company intentionally downplay the scope of the hack, or if it unaware of how many accounts had been affected. We are also trying to verify the total number of accounts that were affected. We will update this story if we learn more. 

At the time of the original breach, LinkedIn had advised its users to change their passwords, and it is now doing so again, I guess in case they didn't do it all those years ago. The company now says it is also "taking immediate steps to invalidate the passwords of the accounts impacted," though it did not specify what exactly that meant. 

"We take the safety and security of our members' accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication," the company wrote.

"We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible."

Given that the information posted to LinkedIn is usually public, and the average users doesn't store anything that is very sensitive on the site, like their credit card or social security number, there's probably not too much for people to worry about. What they should take from this is that one data is stolen, it's out there forever. 

(Image source: robertsmit.wordpress.com)