Anatomy of a Breach: LinkedIn — 117 Million Passwords and the Credential Breach That Kept Growing

117 million accounts. Unsalted SHA-1. The breach that would not stop.

On 6 June 2012, approximately 6.5 million LinkedIn password hashes were posted to a Russian hacking forum. LinkedIn confirmed the breach and forced password resets for affected accounts. The passwords had been stored using unsalted SHA-1 — a hashing algorithm that, without salting, allows attackers to crack passwords using precomputed rainbow tables at enormous speed. Within hours, a significant proportion of the hashes had been cracked, exposing the plaintext passwords of millions of professionals.

But the story was far from over. In May 2016 — four years after the original disclosure — it emerged that the actual breach had compromised not 6.5 million but 117 million accounts. A hacker known as 'Peace' offered the full dataset for sale on the dark web for 5 Bitcoin (approximately $2,200 at the time). The four-year gap between the breach and the revelation of its true scale meant that 117 million users had been at risk without knowing it — their credentials potentially used for credential-stuffing attacks against email, banking, and corporate accounts throughout that period.

Unsalted SHA-1 — a decade behind best practice.

LinkedIn's use of unsalted SHA-1 for password storage was, by 2012 standards, indefensible. SHA-1 is a fast hashing algorithm — it was designed for speed, not for password storage. Without salting (adding a unique random value to each password before hashing), identical passwords produce identical hashes, enabling precomputed rainbow table attacks that can crack millions of passwords in seconds. By 2012, bcrypt — the algorithm that Zappos used — had been available for over a decade.

117 million passwords weaponised across the internet.

The LinkedIn breach was devastating not just for LinkedIn users but for every service where those users had reused their LinkedIn password. Credential-stuffing attacks — automated attempts to log into other services using stolen username/password combinations — became a major threat vector fuelled by the LinkedIn dataset. Corporate accounts, email services, banking platforms, and VPN portals were all targeted using LinkedIn credentials, because professionals often use the same password across multiple platforms.

This cascade effect is why multi-factor authentication — now a Cyber Essentials Danzell auto-fail criterion — is essential. MFA breaks the credential-reuse chain: even if an attacker has a valid password from a LinkedIn-style breach, they cannot authenticate without the second factor. For ongoing monitoring of credential exposure, dark web monitoring through SOC in a Box detects when your organisation's credentials appear in breach datasets — enabling forced password resets before the credentials are used. Our web application testing verifies password storage security, and UK Cyber Defence provides incident response when credential compromise is detected.

Related Articles