LinkedIn has acknowledged that a previously disclosed data breach in 2012 was much larger than thought, as a hacker put up some 117 million member email addresses and hashed or obfuscated passwords for sale.
Originally, only 6.5 million user credentials were thought to have been taken by unknown hackers in 2012.
After media reported that a hacker named "Peace" posted a trove of LinkedIn data comprising 167 million account details, 117 million of which have both email addresses and hashed passwords, the site's chief information officer Corey Scott confirmed the data breach.
The hacker is asking for five bitcoin (A$3143 as of writing) for the data, in which LinkedIn members' passwords are encoded with the SHA-1 algorithm, but without random numbers and letters or salt added, making them easy to guess.
Microsoft regional director and operator of the haveibeenpwned data breach website, Troy Hunt, contacted some of the LinkedIn members found in the new data cache, and confirmed their details were legitimate.
Hunt said that he has only sighted a small subset of the newly leaked data however.
LinkedIn members will be asked to reset their passwords en-masse, as CIO Scott said the careers website will invalidate the passwords found in the breach.
Scott said LinkedIn has hashed and salted every password in the site's database since the 2012 hack, and added further protection such as email challenges and two-factor authentication.
If verified, the 2012 LinkedIn data breach could be one of the biggest so far, exceeding the Adobe hack of 2013 that saw around 153 million credentials and user credit card details being stolen, including those of almost 1.8 million Australians.