A Top 10 Company, Caught Cold
Here's the thing that still surprises me. When we talk about data breaches, people picture some sketchy startup with two engineers and no security budget. They don't picture LinkedIn. This is a top 10 global tech company. Hundreds of millions of professionals. Owned by Microsoft now. The single biggest professional network on the planet. And in 2012 it got breached so badly that the full damage didn't even become clear until four years later.
Honestly, that's the part that gets me. Not that a giant got hit. Giants get hit all the time. It's that LinkedIn told the world one number in 2012, and the real number turned out to be roughly eighteen times bigger. They said 6.5 million. The actual figure was around 117 million accounts, and some researchers put it closer to 167 million once you count duplicates and dead rows.
So let's walk through it properly. How the attacker got in. How LinkedIn found out they'd been robbed. Why the stolen data stayed dangerous for years. And what they actually did to clean it up. There's a real lesson buried in here, and it's not the one most people think.
Wait, What Actually Leaked?
June 2012. A file containing roughly 6.5 million hashed LinkedIn passwords gets posted on a Russian password cracking forum. No usernames in that first dump, just the password hashes. The person who uploaded it basically asked the forum for help cracking the ones they couldn't break themselves. Within a day or two, thousands of those hashes were already cracked and posted back.
LinkedIn confirmed it fast. They forced password resets on the accounts they believed were affected, said sorry, and moved on. For four years the story sat at "6.5 million passwords, handled, done."
Then May 2016 happened. A seller going by "Peace" listed a database on a dark web marketplace. The asking price was 5 bitcoin, which at the time was around $2,200. What was in it? Email and password pairs for about 117 million LinkedIn accounts, all from that same 2012 intrusion. The breach was never 6.5 million. That was just the slice that leaked publicly in 2012. The attacker had been sitting on the full haul the whole time.
The Surprising Bit
For four years, anyone whose LinkedIn password hadn't been reset since 2012 was walking around with a live, stolen credential and no idea. People reused that password on their email, their bank, their work accounts. The 2016 sale is widely blamed for a wave of account takeovers that followed, including some very high profile ones. Mark Zuckerberg's Twitter and Pinterest got popped around then using a reused password. The breach didn't end in 2012. It just went quiet.
How The Attacker Actually Got In
For years this was the frustrating gap in the story. LinkedIn never put out a detailed technical post mortem of the intrusion. We knew the data got out. We didn't officially know how. That changed when US prosecutors named the man behind it: a Russian hacker called Yevgeniy Nikulin.
According to the Department of Justice indictment, the way in wasn't some Hollywood zero day. It was a person. Nikulin got hold of a LinkedIn employee's credentials and used them to reach into the corporate network. Once he had a foothold as a trusted insider, getting at the user database was a much shorter walk. Same playbook he ran on Dropbox and Formspring around the same window. Steal an employee's login, ride it inside, take the data.
That's the uncomfortable truth about most "sophisticated" breaches at big companies. The front door is usually a human one. One engineer's password, one reused credential, one laptop, and suddenly the perimeter that cost millions to build means nothing because the attacker is already inside wearing a staff badge.
How LinkedIn Got To Know
Here's the part that should bother every security team. LinkedIn didn't catch the 2012 breach with their own monitoring. They found out the way a lot of companies find out. From the internet.
The hashes showed up on that Russian forum, security researchers and journalists spotted the dump, and the news basically reached LinkedIn from the outside in. By the time they were confirming the breach publicly, the data was already being cracked by strangers for sport. That's a detection failure as much as a prevention failure. The attacker was in, took the goods, and left, and the alarm only rang when the loot turned up on a forum.
The 2016 chapter was even more humbling. LinkedIn didn't discover the full 117 million scope through some internal audit either. They learned the real size of their own breach when a seller named Peace put it up for sale and a breach notification service flagged it. Four years after the fact, a company found out from a dark web listing exactly how much it had lost. Let that sit for a second.
The SHA1 Mistake That Made It So Much Worse
The breach was bad. The way the passwords were stored is what turned bad into catastrophic. LinkedIn had hashed those passwords with SHA1, and crucially, they did it without a salt.
Quick plain English version. A hash is a one way scramble of your password, so the company never stores the real thing. SHA1 is an old, fast algorithm. "Fast" sounds good but for password storage it's a disaster, because fast means an attacker with a decent graphics card can try billions of guesses per second. A salt is a random value mixed into each password before hashing, so two people with the same password get different hashes and pre computed crack tables become useless.
LinkedIn skipped the salt. So when those 6.5 million hashes hit the forum, the crackers feasted. Identical passwords had identical hashes, which means you crack "123456" once and you've instantly unlocked every account that used it. Within days, a huge chunk of the dump was cracked. The storage choice basically handed the attackers a head start.
password = "sunshine" UNSALTED SHA1: every "sunshine" hashes to the SAME value crack it once, unlock thousands of accounts SALTED + SLOW HASH (bcrypt): "sunshine" + random_salt_A -> hash A "sunshine" + random_salt_B -> hash B each account must be attacked on its own, and each guess is deliberately slow
How They Remediated This Mess
Give them this much. The cleanup, once they took it seriously, was the right shape. Here's what LinkedIn actually did across 2012 and again in 2016.
- Invalidated the exposed passwords. In 2012 they disabled the passwords they believed were affected and forced those users to reset. When the 117 million surfaced in 2016, they went much harder and invalidated every password created before the 2012 breach that hadn't been changed since. No exceptions.
- Added salting, then moved to a slow hash. The big technical fix was ditching bare SHA1. They started salting every password and putting it through a proper slow password hashing scheme so a future dump wouldn't crack in an afternoon. This is the single most important change they made.
- Rolled out two factor authentication. LinkedIn shipped 2FA so that a stolen password alone wasn't enough to get into an account. This directly blunts the credential reuse attacks that the 2016 sale fed.
- Mass user notification and forced resets. In 2016 they emailed affected members, killed the old passwords, and walked people through securing their accounts. Painful, noisy, correct.
- Worked the takedowns and the case. They pushed to get the for sale listings pulled and cooperated with law enforcement, which eventually fed into the criminal case against the attacker.
Key Finding
The remediation that mattered most wasn't the password resets. It was the move to salted, slow hashing plus 2FA. Resets clean up the current spill. Better hashing and a second factor are what stop the next spill from being the same disaster. If you store passwords and you're still on a single fast hash with no salt, you are LinkedIn in 2011. Fix it before someone fixes it for you.
The Guy Who Did It
Yevgeniy Nikulin didn't stay a ghost. In October 2016 he was arrested in Prague, after the FBI flagged him to Czech police. What followed was a long extradition fight, with both the US and Russia trying to claim him. The US won that one, and he was extradited in 2018.
In 2020 a US federal jury convicted him over the intrusions at LinkedIn, Dropbox and Formspring. The court handed him 88 months in prison, a little over seven years, plus restitution. The same employee credential trick across three companies, and it finally caught up with him.
Worth saying plainly. The attacker went to prison, which is more than happens in a lot of these stories. But the 117 million records were already out there, copied a thousand times, baked into every credential stuffing list on the internet. You can jail the person. You can't un breach the data.
What This Actually Teaches Us
A few things from the LinkedIn breach that I bring up almost every time someone tells me their company is "too big to get breached like that."
- Size is not security. A top 10 tech company lost nine figures worth of credentials. Being huge just means you have more to lose and more attack surface to defend. Nobody is too big.
- How you store passwords decides how bad the breach is. The intrusion was one bad day. The unsalted SHA1 is what turned it into years of fallout. Salt everything, use a slow hash like bcrypt, scrypt or Argon2, and you change the whole math for the attacker.
- Your first breach number is almost always wrong. LinkedIn said 6.5 million and meant it. The truth was 117 million. Assume the real blast radius is bigger than the first headline, and respond like it.
- The breach doesn't end on disclosure day. The 2016 resale, four years later, did arguably more damage than the original leak. Stolen credentials have a long shelf life because people reuse passwords everywhere.
- Turn on two factor and stop reusing passwords. Boring advice. Still the single most effective thing a normal person could have done to survive this breach untouched. A password manager and a second factor would have made that stolen LinkedIn password worthless against your other accounts.
The Quiet Bit
The scariest part of the LinkedIn story isn't the 2012 hack. It's the four years of silence in between. The data was gone, the company thought it was a small contained thing, and millions of people had no reason to change a password that was already in a criminal's hands. Breaches aren't loud explosions most of the time. They're quiet leaks that someone monetises on their own schedule. Treat every credential you've ever set as something that could already be on a forum, and protect your accounts like it.
References & Further Reading
Sources I cross checked while writing this. Worth reading if you want the long form versions.
- US Department of Justice, Russian Hacker Found Guilty Of 2012 Hacking Of LinkedIn, Dropbox, And Formspring the Yevgeniy Nikulin verdict and case detail.
- LinkedIn Official Blog (May 2016), Protecting Our Members LinkedIn's own statement on the 2016 resurfacing and password invalidation.
- Have I Been Pwned, LinkedIn breach record the 117 million account dataset and timeline.
- Krebs on Security (May 2016), As Scope of 2012 Breach Expands, LinkedIn To Again Reset Passwords reporting on the Peace sale and the expanded scope.
- Wikipedia, 2012 LinkedIn hack rolling summary of the breach, the SHA1 storage and the aftermath.