A hacker calling himself “Peace” is trying to sell 117 million LinkedIn users’ email addresses and passwords that were stolen in a 2012 data breach, Motherboard reports. The asking price is 5 bitcoin (approximately $2,200).
Back in 2012, reports had only indicated that the breach exposed at least 6 million passwords. According to Motherboard, the database actually includes 167 million records, of which approximately 117 million include both email addresses and encrypted passwords.
“It is only coming to the surface now,” a representative of the search engine LeakedSource, which claims to have a copy of the data, told Motherboard. “People may not have taken it very seriously back then as it was not spread. To my knowledge the database was kept within a small group of Russians.”
In a blog post published on May 18, LinkedIn CISO Cory Scott wrote, “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012.”
All affected passwords are being reset, Scott wrote, and all those impacted will be notified. “We have no indication that this is as a result of a new security breach,” he added.
Motherboard notes that the LinkedIn passwords were stored as SHA-1 hashes, but not salted — a LeakedSource representative told Motherboard that they were able to crack “90 percent of the passwords in 72 hours.”
According to the results of a recent Spiceworks survey of more than 600 IT professionals, 57 percent of respondents said they believe encryption has helped their organization avoid a data breach.
Still, only 36 percent of respondents encrypt data at rest on laptops and desktops, and only 31 percent do so on servers. Sixteen percent of respondents aren’t enforcing data encryption across any of their devices or services.
John Peterson, vice president of enterprise products at Comodo, told eSecurity Planet by email that there needs to be a constant sense of heightened security when it comes to protecting passwords. “Consumers, small businesses and large enterprises all need to understand that criminals have established, working organizations with paid hackers, spammers and phishing experts who think of ways to steal and leverage passwords, bank records, social security numbers, company trade secrets and data, and credit card and financial data every minute of every day,” he said.
“Only with end to end security that takes into account issues like endpoint, breach detection and secure web gateways can companies of all sizes look to beat the cybercriminal at their own game,” Peterson added.
A recent eSecurity Planet article examined 10 encryption tools you should know.