Skip to content ↓ | Skip to navigation ↓

The LinkedIn hack of 2012 just got a whole lot worse.

If you recall, in 2012 LinkedIn reset users’ passwords after hackers broke into the network, stole a database of password hashes, and posted some 6.5 million account credentials on a Russian password forum. LinkedIn was left humbled by the security breach, which revealed that they had not used a salt while creating the checksums it stored of users’ passwords- making it trivial for fraudsters to crack them.

Now, almost four years later, a hacker going by the name of “Peace” is offering for sale the database of 167 million accounts, including the emails, hashed and (in many cases) already cracked passwords of 117 million users.

As Motherboard reports, security researcher Troy Hunt has confirmed that at least some of the email addresses and passwords offered for sale are the same as those used by LinkedIn users at the time of the hack.

Worse still, at least one victim contacted by Motherboard confirmed that the stolen credentials matched their current LinkedIn password.

So, what should you do today if you’re a LinkedIn user?

Well, if you didn’t change your LinkedIn password after the 2012 hack – you really should change your password immediately.

Don’t choose an obvious password like “linkedin’, ‘hopeless,’ ‘killmenow’, ‘iwishiwasdead’, and ‘hatemyjob’ (all of which were revealed to be the passwords of LinkedIn users four years ago).

Instead, choose a hard-to-crack, unique password that isn’t easy to guess and can’t be found in a dictionary. My recommendation is that you use a password manager to generate truly random passwords for your online accounts.

But I cannot emphasise enough the importance of having different, unique passwords for your online accounts. Even if you changed your LinkedIn password in 2012, you might have still used the same password elsewhere on the net. That’s something that online criminals can exploit.

Of course, you won’t be able to remember all of your different passwords – especially if they are hard-to-crack gobbledygook like L{Ki3XG($jPzGAE&KaJ4 – so use a password manager to securely remember them for you.

Having a unique hard-to-crack password isn’t, of course, the only protection you should have in place on your LinkedIn account. I recommend also enabling two step-verification (2SV).

With 2SV in place on your LinkedIn account, hackers won’t just need to steal your account’s password to break into your account – they’ll also require access to your mobile phone to intercept the verification code sent by LinkedIn when someone logs in from a new device.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Tripwire University
  • Mark Jacobs

    Looks like I’ve got your password now, Graham, L{Ki3XG($jPzGAE&KaJ4 :-)

  • Kim Broom

    I’ve been receiving bogus invoices from Banks, etc., addressed to my title and company that could only come from Linked In. Hacked passwords aren’t the only threat.

  • This isn’t the 1st and won’t be the last to happen. The sooner the better that we get a simpler and new ID method such as utilising a mobile phone biometric validating app to authenticate to sites, removing the clunky and old methods of username and password that we have lived with since the inception of computing. These methods are fundamentally flawed and combining it with the poor authentications of DOB, maiden name, etc still used, with data that can readily be harvested from social media and public sources the public are left wide open to attack.

  • Carlos L Holt

    Sadly, this is getting to be routine. I’ve gotten so many notifications the last few years that my data “may have been stolen” from such organizations as VA, Mellon Bank, Target, Navy Federal CU, LinkedIn, and others. At least I have no instances of anything being used. I take all of the recommended precautions and monitor credit reports very closely. Crooks will always look for the next solution to any protection measure devised, but that doesn’t mean that we don’t need to keep devising them! They get us through for a while at least…

  • zqj

    Changing only LinkedIn password won’t help, since the leak exposes the email/hashed password pair which can be used in an attack on ANY website that user is registered with.

  • Cathy John

    This is a bad news for professional who use Linkedin.

  • Most cyber crime incidents go unreported, and few companies come forward with information on their losses. That is not surprising given the risk to an organization’s reputation and the prospect of legal action against those that own up to cyber crime. Few of the biggest cyber criminals have been caught—many have yet to be identified.