A hacker is selling 167 million LinkedIn user records - wilsonretininds

A hacker is trying to trade a database dump containing accounting records for 167 zillion LinkedIn users.

The announcement was posted on a dark market website called TheRealDeal aside a user who wants 5 bitcoins, operating theater around $2,200, for the data set that supposedly contains user IDs, electronic mail addresses and SHA1 password hashes for 167,370,940 users.

According to the sale ad, the dump does not cover LinkedIn's complete database. Indeed, LinkedIn claims on its website to have over 433 million registered members.

Troy Hunt, the creator of Have I been pwned?, a site that lets users check if they were artificial by far-famed data breaches, thinks that it's highly likely for the making water to be legitimate. He had access to around 1 million records from the information set.

"I've seen a subset of the data and verified that it's legit," Hunt said via email.

linkedin leak sale data breach — A hacker is marketing 167 million stolen LinkedIn account records on a dark market website.

LinkedIn suffered a information breach back in 2012, which resulted in 6.5 billion user records and password hashes existence posted online. It's highly possible that the 2012 gap was actually large than previously thought and that the balance of the stolen data is surfacing directly.

LinkedIn did non immediately answer to a request for comment.

Attempts to inter-group communication the vendor failed, just the administrators of LeakedSource, a data leak indexing website, claim to also have a written matter of the data set and they believe that the records do originate from the 2012 LinkedIn breach.

"Passwords were stored in SHA1 with no salting," the LeakedSource administrators said in a web log carry. "This is not what internet standards propose. Only 117m accounts have passwords and we fishy the remaining users registered using FaceBook or approximately similarity."

Scoop security practices call forth for passwords to be stored in hashed grade inside databases. Hashing is a unidirectional procedure that generates single, nonsubjective cryptographic representations of a string that are called hashes.

Hashing is useful for substantiating passwords, because running a password through the very hashing process should always result in the same hash, allowing its comparison with single antecedently stored in a database.

Converting a hash support into the original password should be impossible, which is why it's safer to store hashes alternatively of plain text passwords. Nonetheless, there are old hashing functions, such as MD5 and SHA1, that are under fire to various bang-up techniques and should no longer be used.

When the 6.5 meg LinkedIn countersign hashes were leaked in 2012, hackers managed to crack over 60 percent of them. The same matter is likely dead on target for the new 117 million hashes, so they cannot equal considered safe.

Worse all the same, it's very likely that many LinkedIn users that were plummy away this leakage haven't transformed their passwords since 2012. Hunt was healthy to verify that for at least one HIBP subscriber whose email savoir-faire and password hash was in the new-sprung data set that is now up for cut-rate sale.

More the great unwashe stilted by this breach are also likely to have reused their passwords in multiple places on the World Wide Web, Richard Morris Hunt said via email.

LinkedIn users who haven't changed their passwords in a age, are well-advised to behave so as soon as possible. Turning on LinkedIn's two-step verification is likewise suggested. If the LinkedIn password has been exploited along other websites, it should be changed there likewise.