Users who haven't changed their passwords since the 2012 breach could soon find their accounts compromised.
A LinkedIn hack from 2012 has resurfaced, the company announced May 18. The email addresses and LinkedIn passwords of more than 100 million users obtained in that breach were recently released.
LinkedIn reports that it is invalidating the affected accounts and notifying members to reset their passwords.
“We take the safety and security of our members' accounts seriously,” the LinkedIn announcement reads. “For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual-factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible.”
A hacker named “Peace” is trying to sell the data, which includes about 167 million accounts, 117 million of which have both an email and password, for 5 bitcoin, which equates to about $2,200.
Motherboard reports that the passwords were originally encrypted or hashed with the SHA1 algorithm, but with no “salt,” which means the encryption lacks a series of random digits at the end that make them harder to crack.
Users who have changed their password since the 2012 breach should not be affected by the breach.