Remember LinkedIn’s 2012 data breach?
A hacker stole 6.5 million encrypted passwords from the site and posted them to a Russian crime forum. Now it appears that data theft was just the tip of the iceberg.
A Russian hacker, who goes by “Peace,” is selling 117 million email and password combinations on a dark web marketplace, Vice Motherboard reports. The going rate for the loot is five Bitcoins, or about $2,300.
Get Data Sheet, Fortune’s technology newsletter.
Motherboard said it received a portion of the data—about one million credentials—from Leaked Source, a paid search engine for hacked data that claims to have acquired a total of 167 million of the leaked login credentials. The news outlet verified that at least one of the hacked accounts is legitimate by confirming details with one of the victims.
Cybersecurity researcher Troy Hunt, who runs the hacked data search engine HaveIBeenPwned.com, said he confirmed details with two other victims. He added that he doesn’t yet have a full set to upload to his database yet.
Furthermore, I've only seen a small subset of data (~1M rows), I don't have a full set to load into @haveibeenpwned (yet…)
— Troy Hunt (@troyhunt) May 18, 2016
A person who represents Leaked Source, which has been analyzing the stolen data, told Fortune in an email that 160 million of the compromised accounts have unique email addresses, while the remaining 7 million only include numerical userids and passwords. The spokesperson said that the site’s administrators do not have access to the 6.5 million credentials initially released in 2012, meaning they are unable to check whether they are included as part of the latest set.
“We acquired the 167 million credentials for free from someone who got them from the Russians,” the Leaked Source rep told Fortune. “We have been asked not to reveal who they are or it would jeopardize their relationship with whomever provided it to them.”
For more on LinkedIn, watch:
Cory Scott, LinkedIn’s chief information security officer, published a post addressing the incident on the professional network’s official blog on Wednesday. “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,” Scott wrote.
He mentioned that the company had required “all accounts we believed to be compromised” to reset their passwords in 2012, and that it recommended all other users else reset their passwords as well. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords,” he said. “We have no indication that this is as a result of a new security breach.”
Scott added that the site had been encrypting and “salting”—or appending random data to the passwords before they’re encrypted to make them less crackable—”for several years.” Leaked Source noted, however, that the leaked passwords it had obtained were encrypted (with the SHA-1 hashing function), but lacked the “salting” security feature. Presumably, LinkedIn began “salting” their passwords after the 2012 incident.
To stay protected, LinkedIn users should update their passwords on the site (and anywhere else they may have reused the same password online) and also implement two-factor authentication—a feature that sends a security code to a user’s phone upon login.
