Days after a hacker put up for sale a database of LinkedIn usernames and passwords that were stolen in a data breach back in 2012, the company says it has now finally finished resetting the passwords of all the victims.
"We have invalidated the passwords of all accounts that were created prior to the 2012 breach that hadn't updated their password since then, and that is, as we reported, more than 100 million people," a LinkedIn spokesperson told Motherboard on Monday.
Mary-Katherine Juric, a spokesperson for LinkedIn, said that the company got its hands on the hacked database last week, though she declined to say how it obtained the data.
"We did get a full look at it to ensure that this was real and there were members that needed to be protected," she said.
In 2012, unknown hackers broke into LinkedIn's servers and stole a large database of usernames and encrypted passwords. At the time, the extent of the breach was unclear, as only 6.5 million encrypted passwords, without their corresponding usernames, leaked on the internet. Then last week, a larger database surfaced in the dark web. As Motherboard first reported, the new leak revealed that the 2012 brach was much worse than anyone thought, and affected more than 100 million people.
For some, LinkedIn's response to the hack comes too little too late. Per Thorsheim, the founder of the Password conference, who helped verify the breach in 2012, said that LinkedIn should've reset the passwords of all users four years ago "as a precaution."
"Thinking that only 6.5 million were affected in 2012 would be a foolish and naive thing to do," Thorsheim told me in an online chat. "All public information from back then and until now seem to confirm they were actually that foolish and naive."
Thorsheim also slammed LinkedIn for how it's handling the breach now. After trying to reset his own LinkedIn password, he noticed that it's possible to simply input the same, old, password, and that the new one can be as short as six characters.
"That was fairly good in the mid-eighties. Not anymore," he said, referring to the minimum length. "DAMNIT!"
A LinkedIn spokesperson responded to Thorsheim's criticism saying users who've had passwords reset as a consequence of the data breach cannot reuse the same password.
In the days after the database started circulating online, hackers have apparently started taking advantage of the leaked credentials to take over the accounts of people like Twitter co-founder Biz Stone as well as other personalities. Juric, the LinkedIn spokesperson, declined to confirm that these accounts were hacked thanks to the leaked passwords, and simply said: "Account takeovers can happen."
At the same time, she added that given that the old passwords are now all invalidated, "it doesn't really matter where else [the hacked database] pops up."
Meanwhile, the hacker who put the hacked database for sale has slashed the price in half from 5 bitcoin (around $2,200) to 2.7 bitcoin (around $1,200). In any case, since last week, he said he has made $12,000 selling it to six buyers.
"[The] more i sell, and more days pass, [the] value drops," the hacker, who's known as Peace, told me.
This story has been updated to include LinkedIn's response to Thorsheim's critiques.