[UPDATED with comment from LinkedIn.]
Don't wait for LinkedIn to tell you if you're one of the 165 million users affected by its data breach, and to reset your password. Instead, go to HaveIBeenPwned and check for yourself. We found our own email addresses in there, yet haven't received any notifications from LinkedIn.
If you had a LinkedIn account in 2012, assume your email address and password were stolen in the breach, the full scope of which only became apparent last week. If you didn't change your password then, do so now, and change that same password on other sites and accounts as well (preferably to something different from your LinkedIn password).
LinkedIn promised last week to notify all affected users, and to reset their passwords, but clearly it hasn't reached everyone yet. We've reached out to LinkedIn for comment and will update this story once we receive a reply.
MORE: How to Create Super-Secure Passwords
HaveIBeenPwned is an online service run by Australian security researcher Troy Hunt, who's constantly adding credentials made public following data breaches. He'll tell you if your email address is in the data, and from which website it was stolen. (For the Ashley Madison data breach, he contacted holders of positive matches confidentially.)
Another website, LeakedSource, beat HaveIBeenPwned in offering to notify people if they were affected by the LinkedIn breach, but it may ask you for money.
The quick back story: In June 2012, 6.5 million passwords, without accompanying email addresses, were found being sold in online criminal forums. Many of them included the text string "linkedin," making it clear where they came from.
The passwords had been "hashed," or scrambled with a one-way mathematical algorithm, in such a poor way that most of the hashes were swiftly "cracked" and the passwords revealed. Following that revelation, LinkedIn said it reset the passwords for affected accounts, then implemented a stronger hashing algorithm. A year later, the company introduced an option to use to two-step verification.
Last week, the full LinkedIn dataset surfaced on an online-criminal forum, and it was far worse than anyone had feared. A total of 165 million LinkedIn credentials were in the set — still with poorly hashed passwords — and this time, they included email addresses, letting anyone who got their hands on them hijack numerous accounts at other online services.
MORE: What to Do After a Data Breach
Security firm KoreLogic has already cracked nearly 80 percent of the hashes. Even though there are 177 million password hashes, there are so many duplicates that in total, there are only 65 million unique hashes. Eighty-six percent of all the credentials have had their passwords cracked.
Why so many? Well, a full 1,135,936 of LinkedIn users chose "123456" as their passwords. About 207,000 chose "linkedin," which is not a terrible choice, as it implies that those people wouldn't use that password anywhere else. But we'll venture that many of the 188,380 people who had "password" as their LinkedIn password used it someplace else as well.
Don't get smug, however, if your LinkedIn password met "strong" password recommendations.
"5,184,351 of the recovered passwords are 8+ characters and contain one upper, one lower, and one digit," the KoreLogic researchers said in a blog posting. "825,975 of the recovered passwords are 8+ characters and contain one upper, one lower, and one digit and one special character."
A large chunk of those cracked complex passwords followed "universally common topologies," such as beginning with a capital letter followed by many lower-case letters, and ending with a digit or two and a punctuation mark. In this light, "Rutabaga256!" isn't really that much better than "password."
So, to reiterate: If you had a LinkedIn account in 2012, change the password now, and make the password something you CAN'T remember. Write it down on a piece of paper, or, better yet, use a password manager. Then set up two-factor authentication on LinkedIn and any other service than allows it.
And remember: Your password (or credit-card number) is only as safe as the company holding it in its database.
UPDATE: "We've finished our process of invalidating all accounts we believed were at risk," a LinkedIn spokeswoman told Tom's Guide in an email message. "These were accounts that had not reset their passwords since the 2012 breach. We'll soon be sending more information to all members that could have been affected, even if they updated their password four years ago."
