A LinkedIn data breach that came to light in 2012 is rearing its ugly head once again. While initial reports said that hackers had stolen 6.5 million account credentials, the latest figures suggest a far greater number were compromised.
Leaked Source, a paid search engine for hacked data, claims to have obtained as many as 167 million purloined account credentials from that LinkedIn breach. Of the total, 160 million included email addresses and 117 million included emails and passwords, one of the site’s administrators told Coins2Day.
Get Data Sheet, Coins2Day’s technology newsletter.
One representative at Leaked Source told Vice Motherboard, which first reported the revised breach figures, that the site’s analysts had decrypted “90% of the passwords in 72 hours.”
Here’s a tally of the most common passwords the site said it unscrambled in the hacked dataset, according to Leaked Source’s analysis. The chart lists 2.2 million instances of passwords, less than 2% of the total cache.
Coins2Day was not able to independently verify the data.
There are notable differences between this set of top passwords and the list released as part of the initial 2012 data breach. An analysis of the earlier dump by the cybersecurity firm Rapid7 (RPD) reported the top five passwords as “link,” “1234,” “work,” “god,” and “job.”
The most recent analysis falls more in line with what we tend to see in data leaks across the web—with the notable exception of “linkedin” appearing in the number two spot.
Leaked Source noted that the stolen LinkedIn passwords were protected with encryption. (They were hashed using the SHA-1 cryptographic algorithm, for the technically minded.) The site pointed out, however, that the passwords had not been “salted,” a security technique that adds a buffer of extra randomness to the passwords, which would have made them considerably more difficult to decrypt.
Cory Scott, LinkedIn’s chief information security officer said Wednesday in a blog post that the company had applied encryption and salting “for several years.” Presumably, the professional network added “salting” after the 2012 breach.
It goes without saying that any of the passwords listed in the above chart are poor choices for securing online accounts. Security experts recommend using a password manager to help generate and store complex, lengthy passwords. They also recommend never reusing passwords across multiple sites and always opting in for two-factor authentication, a feature that ties an additional security code to a user’s device and requests it upon login.