A hacker has offered to sell the account information of 117 million LinkedIn users, which was stolen in a 2012 hack, Motherboard reported last week.
The data includes users' email addresses and passwords.
The hacker, who goes by the handle "Peace," reportedly offered the data on The Real Deal -- a site on the dark web -- for 5 bitcoins -- about US$2,200.
Leaked Source last week announced it had more than 167 million records that were stolen during the 2012 LinkedIn hack.
It offered to provide LinkedIn with the full data set to assist with its reset jobs, but said it had no idea how to contact the company.
LinkedIn is aware of the data and is "taking immediate steps to invalidate the passwords of the accounts impacted," said Cory Scott, director of house security. It will contact those affected to reset their passwords.
Keeping LinkedIn Users Secure
"For several years, we have hashed and salted every password in our database," Scott said.
That may not be the case, according to Leaked Source.
About 1 million LinkedIn users' credentials purportedly from the 2012 hack provided by LeakedSource reportedly were encrypted or hashed with the SHA1 algorithm but weren't salted.
Salting is random data attached to hashes to make them harder to crack.
The credentials included email addresses, hashed passwords and the corresponding hacked passwords.
"It has been standard practice for a long time to store salted, hashed passwords," Giovanni Vigna, CTO of Last line and director of the Center for Cyber Security at the University of California at Santa Barbara.
It's not clear why LinkedIn would use the SHA1 algorithm, which has been known to have vulnerabilities since 2005.
Red Alert for Businesses
"If the data being offered is verified, this represents a massive risk to countless organizations. LinkedIn is work-related, so many employees of an enterprise will use their exact work credentials, username and password for their LinkedIn account," said John Gunn, a spokesperson for Vasco Data Security.
That would give hackers and their buyers login credentials for "many millions of enterprise employees," he told the E-Commerce Times.
Given that the hack occurred in 2012, how did LinkedIn fail to realize its true extent and the amount of data stolen?
"That's difficult to say," noted Last line's Vigna. "Once a person has access to a database, he can usually query all the data for which access has been granted. If an attack is performed with a specific exploit that, for example, allows only for the exfiltration of a limited number of records, it might be difficult to know how far the attacker has gone in exfiltrating data."
LinkedIn required only the 6.5 million users it knew were hit in 2012 to reset their passwords, not all users.
"It's a balancing act," said Craig Kensek, a security expert at Last line.
LinkedIn "chose the least disruptive solution for their members," he told the E-Commerce Times.
LinkedIn has encouraged members to learn about enabling two-step verification and to use strong passwords in the wake of the latest revelation.
"It's a great start," Vigna said.
"LinkedIn is a business platform," said Pierluigi Stella, CTO at Network Box USA.
Its users, he told TechNewsWorld, "should be well aware of issues such as this, know how to behave, and when to change their passwords."
I'm busy working on my blog posts. Watch this space!