LinkedIn users may need to start changing passwords, as around 167 million accounts have been put up for sale online, including 117 million passwords. The seller is asking for over $2,o00 for the stolen data

The data comes from 2012, when the networking site was hacked. However, as Ars Technica notes, this reveals that the breach was far larger than initially believed; initial estimates of the 2012 breach suggested that around 6.5 million credentials were stolen, which is still a very significant amount, but this is larger by far.

A hacker by the nickname of “Peace” is offering the stolen data on the Dark Web marketplace “The Real Deal,” at a price of five Bitcoins, which comes to around $2,200. Should anyone purchase the data, it will give them access to the accounts and personal information of a multitude of users, not to mention the further damage that can be done with an oft-repeated password.

LinkedIn has begun contacting members, informing them of the breach and encouraging them to use strong passwords and two-step verification authentication, which can be set up directly on the website.

Strong password security is a must, both for users and LinkedIn. In fact, LeakedSource notes that the passwords were stored in SHA1, which is far below industry standards. CIO explains that best practices call for passwords stored in hashed form inside databases, while the passwords themselves should also be strong. Yet hundreds of thousands of LinkedIn users had “123456” as their passwords, which, as eloquently stated in the movie “Spaceballs,” is the kind of password “that an idiot has on his luggage.”

According to Christopher Budd, global threat communications manager at Trend Micro:

“This late revelation of the extent of a breach is a common thread between many of the major hacks we’ve seen in recent history. This also shows that immediate post-breach impact analysis can be difficult and inexact with additional users often affected outside of the primary scope. This underscores the importance of regular credit monitoring and extended identity protection as a personal and professional best practice.”

As the data is old, it is likely that many users have already changed their passwords by now, but there are still plenty who have not. Among those who have changed their passwords, there are those who still use the same password on other sites with the same email address. Anyone and everyone impacted by this breach should immediately change their passwords, both on LinkedIn and any other sites that use the same password, and set up two-step verification.

If you want to check if your account is at risk, you can check out haveibeenpwned. If you need some tips and hints for strong password security, check out SiliconANGLE’s top tips and tools for World Password Day.

Photo by clasesdeperiodismo