Upon learning of the leak, LinkedIn states that it invalidated the passwords at risk. It had already been confirmed that the breach itself took place in 2012 and reportedly saw 167 million LinkedIn account records hacked.
The career-oriented platform in its statement added that the accounts that were targeted were all created prior to the 2012 breach, and that no passwords have been reset since then.
The statement also detailed the extent of the information that was stolen. According to LinkedIn the data included email addresses and member IDs — the latter are a form of internal identifier assigned to each account.
The initial criticism directed toward the company centered on its weak password protection tools, in particular the fact that the data was not salted. In response, LinkedIn claims that it now uses salted hashes to store passwords. It also indicated that it offers an added form of protection in the form of its dual-factor authentication option.
“We are using automated tools to attempt to identify and block any suspicious activity that might occur on LinkedIn accounts,” reads the email. “We are also actively engaging with law enforcement authorities.”
In a prior update, the platform claimed that it had demanded that third parties put a stop to leaking its password data, and that it would pursue legal action if they failed to comply.
For those still worried about account security, LinkedIn’s chief information security officer, Cory Scott, has the following words of advice: “We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible.”
