Why you can trust us

Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.

Millions of LinkedIn passwords stolen in 2012 surface online

They're being sold for $2,300.


You've probably already forgotten that LinkedIn was hacked back in 2012, but you could still be affected by that four-year-old security breach. According to Motherboard, someone going by the name "Peace" is selling (if he hasn't sold them yet) 117 million LinkedIn username and password combos on a dark web marketplace for 5 Bitcoins or around $2,300. When the attack was first discovered, only 6.5 million users' details were leaked -- this dump reveals that the breach was much, much bigger. In fact, a hacked data search engine told Motherboard that the database Peace listed contains 167 million accounts. It's just that only 117 million have both usernames and passwords.

Just like the 6.5 million passwords leaked in 2012, the ones in this batch are unsalted SHA-1 hashes. That means they're easier to crack, because they lack "salt" or the random data attached to encrypted passwords that make them harder to decode. LinkedIn has confirmed in a blog post -- where it also encouraged people to enable two-step verification -- that the combinations being sold were part of the data stolen four years ago. The company has started invalidating passwords created before 2012, so you might receive a note to change yours if you've been a user for quite some time.