LinkedIn, which has had a dubious record with user security, is in the news again for all the wrong reasons. The bad news is that about 117 million usernames and passwords for the professional networking site are up for grabs by cybercriminals. The good news is that the credentials seem to have been grabbed in a data breach disclosed in June 2012. (Back then, only 6.5 million accounts were thought to have been compromised.)
So if you've changed your LinkedIn password within the last four years, you have nothing to fear. You have changed your password within the last four years, right? If your credentials are found to be part of this new set of data, LinkedIn says it will force you to change it anyway.
Motherboard, Vice's tech publication, did some digging and found the dataset from LinkedIn's 2012 breach for sale on the Dark Web for around $2,200 in Bitcoin. It's not clear if anyone bought it, but a data-breach-notification site called LeakedSource claims to have the full set.
Why it took four years to surface is anyone's guess, but the sad truth is that of the 165 million compromised accounts in the dataset, 117 million of them have both usernames and hashed passwords, and a good chunk of those credentials probably still work.
As usual, the real risk here is not that a cybercriminal could hijack your LinkedIn account. While the site houses a few clerical details about your job and address, both of which may already be publicly displayed, it doesn't hold financial information or Social Security numbers.
The real risk ensues if you use that same username and password for other online accounts, especially email, shopping or online banking accounts. Misuse of those credentials could blow your digital life wide open. At that point, brace yourself for hijacked email accounts, identity theft, credit-card fraud and drained bank accounts.
Although LinkedIn had hashed its passwords before the 2012 breach, it did so without "salting" the hashes with extra bits of data, and as a result cybercriminals and researchers were able to reverse more than half the password hashes in a few months. Now that more than 110 million new sets of credentials from the same data breach are surfacing, it's inevitable that a sizable proportion of them will still be valid, and their password hashes easily deciphered.
Back in 2012, LinkedIn forced users of accounts known to be affected by the data breach to change their passwords, and advised users of presumably unaffected accounts to do the same. But as with any voluntary security advisory, compliance was almost certainly far less than 100 percent.
In a LinkedIn blog posting (opens in new tab) today, the company said it was "taking immediate steps to invalidate the passwords of the accounts impacted," and "will contact those members to reset their passwords." It also advised all users to activate two-step verification (opens in new tab), which we also highly recommend. (The service has about 400 million registered users.)
You should change your LinkedIn password now if you haven't done so recently, but again, that's not the real threat. What you really need to do is change your email and banking passwords, assuming you use the same passwords for multiple accounts. If not, you don't have much to worry about. Basic online safety habits, as always, will protect you from the vast majority of cyberattacks.
LeakedSource has incorporated the full LinkedIn set and lets you input your email address to see if it's among those affected. While it doesn't deal with LinkedIn directly, you can also always check Have I Been Pwned? to see if another data breach has compromised your info.