The LinkedIn hack of 2012 just got a whole lot worse.

If you recall, in 2012 LinkedIn reset users’ passwords after hackers broke into the network, stole a database of password hashes, and posted some 6.5 million account credentials on a Russian password forum. LinkedIn was left humiliated by the security breach, which revealed that they had not used a salt while creating the checksums it stored of users’ passwords- making it trivial for fraudsters to crack them.

Now, almost four years later, a hacker going by the name of “Peace” is offering for sale the database of 167 million accounts, including the emails, hashed and (in many cases) already cracked passwords of 117 million users.

As Motherboard reports, security researcher Troy Hunt has confirmed that at least some of the email addresses and passwords offered for sale are the same as those used by LinkedIn users at the time of the hack.

Worse still, at least one victim contacted by Motherboard confirmed that the stolen credentials matched their current LinkedIn password.

So, what should you do today if you’re a LinkedIn user?

Well, if you didn’t change your LinkedIn password after the 2012 hack – you really should change your password immediately.

Don’t choose an obvious password like “linkedin’, ‘hopeless,’ ‘killmenow’, ‘iwishiwasdead’, and ‘hatemyjob’ (all of which were revealed to be the passwords of LinkedIn users four years ago).

Instead, choose a hard-to-crack, unique password that isn’t easy to guess and can’t be found in a dictionary. My recommendation is that you use a password manager to generate truly random passwords for your online accounts.

But I cannot emphasise enough the importance of having different, unique passwords for your online accounts. Even if you changed your LinkedIn password in 2012, you might have still used the same password elsewhere on the net. That’s something that online criminals can exploit.

Of course, you won’t be able to remember all of your different passwords – especially if they are hard-to-crack gobbledygook like L{Ki3XG($jPzGAE&KaJ4 – so use a password manager to securely remember them for you.

Having a unique hard-to-crack password isn’t, of course, the only protection you should have in place on your LinkedIn account. I recommend also enabling two step-verification(2SV).

With 2SV in place on your LinkedIn account, hackers won’t just need to steal your account’s password to break into your account – they’ll also require access to your mobile phone to intercept the verification code sent by LinkedIn when someone logs in from a new device.

Via: tripwire