LinkedIn, which suffered a major data breach four years ago, has uncovered new information suggesting the hack was much worse than it realized at the time.
In a statement, the company warns that 100 million users appear to be affected by the hack, which compromised not just passwords but email addresses as well. That's a massive chunk of LinkedIn's user base of 400 million.
The data breach first happened in 2012, and at the time was thought to only affect some users' passwords. In response, LinkedIn issued a mandatory password reset for the accounts it thought were compromised. The company never publicly clarified how many users it believed were affected.
Now, the technology website Motherboard reports that a hacker who goes by the name "Peace" is trying to sell the stolen information on the dark web. The hacker claims to possess data for 167 million LinkedIn users, including emails and encrypted passwords for 117 million users. Motherboard says it's been in direct communication with the hacker.
LinkedIn, a popular professional networking site, said it first found out about the additional set of data on Tuesday, and is quickly shifting into crisis mode.
"We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords," LinkedIn said in a statement on Wednesday. The company added that it will invalidate passwords for all accounts that were created prior to the data breach if those passwords have not been updated since the incident.
According to sources quoted by Motherboard, the stolen data currently lives in two places: on the illegal marketplace The Real Deal and on the hacked data search engine LeakedSource.
"It is only coming to the surface now. People may not have taken it very seriously back then as it was not spread," an individual associated with LeakedSource reportedly told Motherboard.
Motherboard says it looked at a sample of more than one million stolen credentials provided by LeakSource. These passwords were protected to an extent but not "salted" -- that is, protected by an additional layer of random digits designed to make them harder to crack.
LeakedSource has already cracked "90 percent of the passwords in 72 hours," according to an internal source quoted in Motherboard.
LinkedIn now hashes and salts all passwords, but only began doing that in 2012.
For now, LinkedIn said it will contact users if they need to reset their passwords. But, given the enormity of the breach, the company also urged all users to change their passwords and enable two-step verification as a precaution.