Data from an earlier LinkedIn data breach have appeared online and a hacker known as Peace_of_mind (Peace) sells them for 5 Bitcoin (≈ $ 2.200) in the Dark Web, TheRealDeal market.
LinkedIn suffered a massive data breach of 2012 when hackers violated them servers and stole some of his users' files. Later, hackers published 6,5 millions of stolen files online, complete with user passwords in fragmented form.
Peace claims that this data is part of the 2012 violation. He claims to have data on 167.370.940 accounts, but said that only about 117 millions include hashed passwords. The last time LinkedIn revealed the total number of users said it had 433 millions of users registered.
Two web sites that specialize in collecting data from online violations, LeakedSource and Have I Been Pwned? analyzed the data.
Troy Hunt, the creator of Have I Been Pwned? he told Twitter: "I confirm the alleged 167M data breach of LinkedIn. It is * very * likely to be the case. "
Later, he revealed that the data is indeed a violation of 2012 and warned that the passwords were encrypted with SHA1 without salting. This means that weak passwords can easily break.
SHA1 is a powerful encryption algorithm, but developments in modern computing power allow attackers to break SHA1 strings codes. Fraudsters can not break these strings automatically, but over time, all hashes of passwords will break. The simpler the password, the faster it is to break.
Η LeakedSource says they have access to all the 167 million accounts they added to their service so that users can safely search and see if they are included in the violation.
Back to 2012, despite 6,5's millions of user details leaked to the internet, LinkedIn never confirmed how many users were affected, keeping silent fish and people forgot that it happened.
If LinkedIn had shared the real impact of the data breach, users would have taken the necessary steps to secure the accounts and avoid reusing their LinkedIn password and other accounts.