LinkedIn password breach

On 5 June 2012, roughly 6.5 million LinkedIn password hashes appeared on a Russian hacking forum, prompting the professional network to reset affected accounts. What looked at the time like a contained incident proved, four years later, to be one of the largest credential breaches of the era: the full haul covered 117 million accounts, dormant until it surfaced for sale on the dark web in 2016.

What happened

In May 2012, the Russian national Yevgeniy Nikulin compromised the computer of a LinkedIn employee and installed malware that captured the employee's credentials. Using that privileged access, he reached LinkedIn's internal user database and exfiltrated email addresses and password hashes.

LinkedIn had stored passwords as unsalted SHA-1 hashes. SHA-1 is a fast hashing algorithm, and without a per-user salt, identical passwords produce identical hashes — making large-scale cracking with precomputed tables and dictionaries trivial. After the 6.5 million hashes were published, researchers cracked the vast majority within days.

How the full scope emerged

In May 2016, a seller using the handle "Peace" advertised 117 million LinkedIn email-and-password combinations — the rest of the 2012 haul — for about 5 bitcoin (~$2,200 at the time) on a dark-web marketplace. LinkedIn confirmed the data was authentic and invalidated passwords for every account that had not changed its credentials since 2012. The same actor was simultaneously selling data from the MySpace and Tumblr breaches, all part of a wave of "mega-breach" dumps that reached the public market in 2016.

Impact

117 million accounts had email addresses and crackable password hashes exposed.
Because so many users reused passwords, the credentials fueled years of credential-stuffing attacks against other services; several high-profile account takeovers (including Mark Zuckerberg's social-media accounts) were traced to reused LinkedIn passwords.
Nikulin was arrested in Prague in October 2016, extradited to the United States, and in July 2020 convicted of the LinkedIn, Dropbox, and Formspring intrusions. He was sentenced to 88 months in prison.

Why it matters

LinkedIn is the textbook case for two enduring lessons. First, password storage matters: unsalted SHA-1 turned a database theft into a near-complete credential compromise. Modern practice mandates slow, salted algorithms such as bcrypt, scrypt, or Argon2 precisely to make this kind of mass cracking infeasible.

Second, the true scope of a breach can lie dormant for years. The gap between the 6.5 million figure reported in 2012 and the 117 million confirmed in 2016 showed that initial disclosures often understate the damage, and that stolen credentials retain value long after the original intrusion. The episode helped accelerate industry adoption of multi-factor authentication and breach-monitoring services like Have I Been Pwned, which ingested the LinkedIn data as one of its defining datasets.

Timeline

May 1, 2012

Attacker compromises a LinkedIn employee's computer, plants malware, and uses stolen credentials to access LinkedIn's internal user database.

June 5, 2012

Roughly 6.5 million unsalted SHA-1 password hashes appear on a Russian hacking forum; LinkedIn confirms the breach and resets affected passwords.

June 6, 2012

Security researchers crack the bulk of the published hashes within days due to the absence of salting.

May 17, 2016

A seller offers 117 million LinkedIn email-and-password pairs from the 2012 breach for sale on a dark-web marketplace.

May 18, 2016

LinkedIn confirms the larger scope and invalidates passwords for all accounts not reset since 2012.

October 5, 2016

Yevgeniy Nikulin is arrested in Prague at the request of U.S. authorities.

July 10, 2020

A U.S. jury convicts Nikulin of the LinkedIn, Dropbox, and Formspring hacks; he is later sentenced to 88 months in prison.

Sources

krebsonsecurity.comhttps://krebsonsecurity.com/2016/05/as-scope-of-2012-breach-expands-linkedin-to-again-reset-passwords-for-some-users/

money.cnn.comhttps://money.cnn.com/2016/05/19/technology/linkedin-hack/

en.wikipedia.orghttps://en.wikipedia.org/wiki/2012_LinkedIn_hack

cyberscoop.comhttps://cyberscoop.com/nikulin-sentence-russian-cybercrime-linkedin-hacker/

Related incidents

Data breachRansom paidMay 1, 2026

Instructure Canvas LMS ShinyHunters breach (2026)

ShinyHunters exploited Canvas's Free-For-Teacher account programme to exfiltrate 3.65 TB of data spanning approximately 275 million users across nearly 9,000 schools — names, email addresses, student IDs, and some private messages between students and teachers. Instructure reportedly paid the ransom and the data was destroyed.

Victim: Instructure (Canvas LMS)
Loss: $10.0M
Records: 275.0M

Data breachResolvedAugust 16, 2024

National Public Data SSN breach

A breach of data broker National Public Data (Jerico Pictures) exposed a database of roughly 2.9 billion records containing names, Social Security numbers, dates of birth, and addresses scraped from public and non-public sources, triggering a wave of lawsuits and the company's bankruptcy.

Victim: National Public Data (Jerico Pictures, Inc.)
Records: 2.90B

Data breachContainedAugust 8, 2022

LastPass two-stage breach and customer vault theft (2022)

An August 2022 source-code theft from one LastPass developer's laptop chained into a November 2022 compromise of a DevOps engineer's personal computer — yielding access to backups of customer password vaults. Federal investigators later linked LastPass-stolen vaults to a $150 million crypto heist.

Victim: LastPass

Data breachResolvedOctober 6, 2021

Twitch source-code and creator-payout leak

A server misconfiguration exposed Twitch's entire Git repository to an anonymous attacker, who leaked 125 GB of data — the full source code with commit history, internal tools, and three years of creator payout figures — as a torrent on 4chan.

Victim: Twitch (Amazon)