Over 100 million LinkedIn IDs are being sold by a hacker.
The IDs that are advertised are apparently from a security breach that occurred 4 years ago. At the time, the impact of the leak was thought to be smaller. Passwords were reset for accounts thought to be compromised by LinkedIn. A similar process on a larger scale is now going to be carried out. .
A spokesperson for the social network company said:
We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords, we have no indication that this is a result of a new security breach.
We encourage our members to visit our safety centre to ensure they have two-step verification authentication and to use strong passwords in order to keep their accounts as safe as possible.
The news site Motherboard announced the details of the login sale advertisement. The number of leaked passwords that are over 117 million. The details of these accounts are being advertised on at least two hacking related websites. The passwords are encrypted but in a way that is relatively easy to decrypt.
Troy Hunt, a security researcher who had been allowed access to around one million of the IDs that were advertised said that it was highly likely that the leak was authentic.
I’ve personally verified the data with multiple subscribers [of my own site] ‘Have I been pwned’, they’ve looked at the passwords in the dump and confirmed they’re legitimate.
Why Did The Leak Happen?
An expert noted mentioned that the issue started because LinkedIn “hashed” their passwords but did not “salt” them before storage. Hashing is when an algorithm is used to change passwords to a lengthy string of digits.
Rik Ferguson, Chief technology officer at Trend Micro, a cybersecurity firm said:
A salt involves adding a few random characters, which are different on a per-user basis, to the passwords [before they are hashed],
This prevents the hackers from using “rainbow tables” which have a list of commonly used passwords and the types of hashes they make, to see if any of those match the ones in the stolen password database.
LinkedIn introduced this practice after the initial attack 4 years ago which can only benefit the users that joined afterwards.
Rik also added:
If LinkedIn is saying now that it didn’t know which accounts had been affected by the breach, then the sensible thing to have done at the time would have been a system-wide forced reset of every password.