LinkedIn users’ data on sale on the dark web

A hacker has put up a batch of info about 167 million LinkedIn accounts for sale on dark web marketplace The Real Deal. Of these, some 117 million records contain email addresses and encrypted (hashed) passwords.

The leaked info was stolen from LinkedIn in 2012. At the time, it seemed that it involved account info of some 6.5 million users, and LinkedIn forced a password reset for all accounts they believed were compromised.

Yesterday, the company effectively admitted that the data leaked is genuine, and said that they “have begun to invalidate passwords for all accounts created prior to the 2012 breach​ that haven’t update​d​ their password since that breach.” The affected users will also be notified individually of this move.

“We have demanded that parties cease​ making stolen password data available​ and will evaluate potential legal action if they fail to comply. In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts,” said LinkedIn CISO Cory Scott, and encouraged users to use strong passwords and to enable two-step verification on their accounts.

LeakedSource also got their hands on the leaked data, and analyzed the passwords (hashed with SHA1, and not salted).

The list of top passwords used expectedly shows that a lot of people just don’t care about choosing a strong, unique, and hard-to-guess password:

Top passwords used by LinkedIn users

Researcher Troy Hunt also more or less confirmed that the leaked data is legitimate.

If you are a LinkedIn user, I would suggest that you change your password now, just in case, and don’t wait for them to confirm your password has been compromised. Make sure not to use one of the passwords in the list above, and don’t choose a password that you’re already using elsewhere.