LinkedIn, which suffered a major data breach in 2012, has uncovered new information suggesting that the hack was much worse than it was thought of.
In a blog post, the company warns that 100 million users appear to be affected by this hack, which includes not just passwords but email addresses also.
Well, that’s a massive chunk of its 400 million users.
The company said it first found out about the additional set of data on Tuesday, and is quickly shifting into crisis mode.
LinkedIn’s Data Breach was Much Worse Than You Thought
In 2012, it was thought that the data breach only affected some users’ passwords.
In response, LinkedIn, a popular professional networking site, also issued a mandatory password reset for the accounts it thought were compromised.
However, the company never clarified publicly how many users were affected.
But now, after 4 years, the technology website Motherboard reports that a hacker who goes by the name “Peace” is trying to sell the stolen information on the dark web.
The hacker claims to possess data for 167 million LinkedIn users, including encrypted passwords and emails for 117 million users.
According to Motherboard, the stolen data currently lives in the illegal marketplace in two places – The Real Deal and LeakedSource (hacked data search engine).
LinkedIn is now taking immediate steps to invalidate the passwords of the accounts impacted and will contact those members to reset their passwords.
If those passwords have not been updated since the data breach, the company will invalidate passwords for all accounts that were created prior to the incident.
The stolen passwords were protected to an extent but not “salted” i.e. not protected by an additional layer of random digits designed to make them harder to crack.
Therefore, LinkedIn now hashes and salts all passwords.
To be on the safe side, the company will urge all the users to change their passwords and enable two-step verification as a precaution.
For companies like LinkedIn, responding to a data breach is a difficult balancing act.
Because computer intrusion is a murky business and data-breach investigations don’t always reveal the entire picture.
Therefore, it isn’t unusual for companies to fail to realize the full extent of a hack.
In that sense, LinkedIn may not be in a unique position. As it’s something that a lot of organizations struggle with.