A hacker is attempting to sell 117 million LinkedIn users' emails and passwords on the dark web.
The black hat "Peace" claims the data is the fruits of a well publicized LinkedIn breach from 2012. At the time, only around 6.5 million encrypted passwords were posted online.
The business-focused social network LinkedIn never confirmed how many users were affected by that breach. Peace's sale – if genuine – means the breach is more severe than previously feared.
Respected security researcher Troy Hunt, an expert in breach verification, says that the breach looks legit, which in itself is reason enough to take the incident seriously.
Logins are for sale on at least two hacking-related websites at prices of 5 BTC. LinkedIn reportedly plans to reset a large number of accounts to limit the damage.
Just changing passwords in the circumstances may help but is not even the greater problem created by the reported hack, according to some experts.
Tod Beardsley, security research manager at Rapid7, the firm behind Metasploit, commented: "When the LinkedIn compromise was first reported in 2012, LinkedIn invalidated the passwords for 'all affected users,' which at the time was believed to have been about 6 million of their 140 million user accounts.
"Unfortunately, it would seem that password reset fell short of what we now know to be over a hundred million accounts. LinkedIn users are urged to not only change their passwords today, but to rotate passwords routinely.
"In addition, LinkedIn supports SMS-based two-factor authentication (2FA) – this provides a significant increase in protection; those users that rely on LinkedIn for private communication (example: recruiters, job seekers, etc.) especially should enable 2FA controls to help protect against exactly this sort of breach," he added.
"The most valuable data in the LinkedIn compromise may not be the passwords at all, but the enormous registry of email addresses connected to working professionals. Spammers rely on accurate, active email addresses to target, and the low price tag of 5 Bitcoin (approximately $2200) is likely to generate significant interest from today's spam industry. While people's passwords can and should change routinely, email addresses and usernames persist for years without easy mechanisms to change them." ®