Yesterday I received an email from LinkedIn asking me to change my password. Though the email informed me that the networking site had “recently noticed a potential risk” to my account, it certainly didn’t outline the real risk the site’s users are currently facing, with it having been reported that over 100 million users have had their accounts compromised and their personal information sold on the dark web marketplace.
The report from Motherboard states that the LinkedIn hack of 2012, which saw 6.5 million passwords posted online, had actually affected 167 million accounts. Considering the site has 443 million users as of Q1 2016, that means that a quarter of accounts have been compromised, though LinkedIn failed to clarify at the time just how many users had been impacted by the data breach. According to Motherboard, a hacker going by the name of “Peace” told the site that dark web marketplace The Real Deal is selling LinkedIn users’ personal information for 5 bitcoin (around $2,200). 117 million accounts in the hackers’ database have both email addresses and passwords.
Writing in a blog post, LinkedIn’s Cory Scott confirmed this new information, writing in a blog post on Wednesday: “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.”
Which brings me to the email LinkedIn sent me. With the site having apparently only recently learned of the vast amount of accounts compromised by the 2012 attack, an entire four years after it had taken place, I would naturally expect the email that the company sent out to its users would be a little more urgent than the one delivered to me. Instead, there was no mention of the mass data breach, but rather the suggestion that I as an individual have been targeted. “We’ve recently noticed a potential risk to your LinkedIn account coming from outside LinkedIn,” the email reads, adding: “Just to be safe, you’ll need to reset your password the next time you log in.”
Now considering that 117 million accounts with attached passwords and email addresses are floating around the dark web, I don’t believe that the suggestion that I should change my password “just to be safe” really rings true of the monumental data breach the site has suffered. Though LinkedIn has included details regarding this new information in the aforementioned blog post, it isn’t even referred to in the email that its users have received, which is entirely unacceptable given the security issues this breach proposes.
Considering that it’s taken LinkedIn four years to inform its users of the severity of the 2012 breach, and that Motherboard seemingly managed to learn of it before the company did, LinkedIn should absolutely be making its users more aware of what has taken place, regardless of the negative impact it has upon its public image.
If you’re a LinkedIn user, it is highly recommended that you change your password immediately, along with adding your mobile phone number to provide extra security in the form of two-step authentication.