LinkedIn 2012: 117 Million Passwords Hashed With No Salt
LinkedIn's password database was stolen in 2012 but the true scope — 117 million accounts — was not revealed until 2016 when the data appeared for sale. Unsalted SHA-1 hashes meant most passwords were cracked within hours.
Background
LinkedIn stored user passwords as SHA-1 hashes without salting — a practice that security experts had condemned for years. In 2012 the company had approximately 160 million registered users.
The Attack
Attackers breached LinkedIn's systems in 2012 through means LinkedIn never publicly disclosed, and exfiltrated the password hash database. The 6.5 million hashes posted to a Russian forum in June 2012 were just a sample. The full 117 million record database was not discovered until 2016 when a hacker named "Peace" listed it for sale on The Real Deal dark web market for 5 Bitcoin (~$2,200 at the time).
Response
LinkedIn reset passwords for the 6.5 million accounts identified in 2012. When the full database surfaced in 2016, LinkedIn immediately invalidated all pre-2012 passwords, enabled automated notifications, and required affected users to set new passwords. The company also enabled two-factor authentication across all accounts.
Outcome
The 2016 revelation that the breach was 18x larger than originally reported was a watershed moment for breach disclosure norms. LinkedIn paid $1.25 million to settle a class action. The incident demonstrated that unsalted hashes effectively store passwords in plaintext for anyone with a GPU and a dictionary.
Key Takeaways
- Always salt password hashes — unsalted SHA-1 can be cracked via rainbow tables in seconds
- Use modern password hashing algorithms: bcrypt, scrypt, or Argon2
- Assume breaches are always larger than the first sample suggests
- Mandatory two-factor authentication significantly reduces credential stuffing risk