Days after media reports of a massive data breach at LinkedIn surfaced, the business networking platform has told its members that the breach first occurred in 2012 but that the data is only now being made available online by hackers.
The hackers have reportedly this month tried to sell a database containing 117 million passwords that was stolen from LinkedIn in 2012. LinkedIn has confirmed that stolen data included member email addresses, hashed passwords and LinkedIn member identifiers.
Wired reports that Australian security expert Troy Hunt has uploaded the entire dataset to his data breach website, haveibeenpwned.com, so that LinkedIn customers can check whether their account was compromised.
[I checked all my own email accounts via Hunt’s site and found that one address had been breached twice, and another once. Two of the three were affected by the LinkedIn hack, with the third caught up in a 2013 Adobe breach.]
LinkedIn itself has today told its customers via email that it took immediate steps to invalidate the passwords of all customer accounts that it believed might be at risk when it learnt on May 17 that the data had been made public. This move affected accounts created prior to the 2012 breach that had not reset their passwords since that time.
In an email with the subject line “Notice of Data Breach”, LinkedIn told members it was using automated tools to attempt to identify and block any suspicious activity that might occur on customer accounts and was actively engaging with law enforcement authorities.
The social network said it had taken steps to strengthen account security since 2012, including using salted hashes to store passwords and enabling additional account security by offering members the option to use two-step verification.
However, it advised users visit the LinkedIn Safety Center to learn about enabling two-step verification, and implementing strong passwords.
“We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend you set new passwords on those accounts as well,” the company said.
Customers with further queries can contact LinkedIn’s Trust & Safety team at firstname.lastname@example.org.