Four years later, LinkedIn is still dealing with the effects of a 2012 data breach.
At the time, hackers reportedly gained access to more than 6 million of the enterprise social network's 161 million users. But LinkedIn has confirmed that an additional set of data was released on Monday.
"We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords," Chief Information Security Officer Cory Scott said in a statement. "We have no indication that this is a result of a new security breach."
In a conversation with Motherboard, the hacker who claims to have pulled off the 2012 hack (and who goes by the name "Peace") said there are 167 million-plus accounts in the database—about 117 million of which include emails and encrypted passwords. Subscription-based hacked-data search engine LeakedSource said the same in a Tuesday blog post.
Based on a sample of nearly 1 million credentials, Motherboard reported that the hacked passwords were encrypted with the SHA-1 algorithm—already outdated by 2012. LinkedIn had "just recently put in place" enhanced security measures like hashing and salting—meant to make it harder for hackers to decipher passcodes—when the breach occurred.
"We take the safety and security of our members' accounts seriously," Scott said today. "For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication."
Peace is reportedly selling the stolen account data on the dark Web for five bitcoin (about $2,282).
Days after the 2012 breach, LinkedIn was sued for failing to properly secure its users' data, which was settled last year for $1.25 million.