還記得社交網(wǎng)站領(lǐng)英（LinkedIn）2012年的數(shù)據(jù)泄露事件嗎？

當(dāng)時(shí)，一名黑客從該網(wǎng)站上竊取了650萬個(gè)用戶密碼，隨后將其上傳至俄羅斯的一個(gè)黑客論壇上。如今看來，“650萬”這個(gè)數(shù)字僅僅是冰山一角。

據(jù)科技媒體Vice Motherboard報(bào)道，近日，一個(gè)網(wǎng)名叫“Peace”的俄羅斯黑客正在網(wǎng)絡(luò)黑市上叫賣1.17億個(gè)電子郵箱地址及密碼的組合，售價(jià)僅為5比特幣，也就是2300美元左右。

科技媒體Motherboard已經(jīng)從一家名叫Leaked Source的已泄露數(shù)據(jù)付費(fèi)搜索引擎那里獲得了部分泄露的數(shù)據(jù)——約100萬條登錄信息。Leaked Source更是稱其已經(jīng)獲得了總計(jì)1.67億條的泄露的登錄信息。Motherboard也表示，經(jīng)過聯(lián)系其中的一名受害者詳細(xì)比對(duì)后可以確認(rèn)，那名俄羅斯黑客手上的登錄信息中，至少有一條可以確認(rèn)是真實(shí)的。

已泄露數(shù)據(jù)搜索引擎HaveIBeenPwned.com的負(fù)責(zé)人、網(wǎng)絡(luò)安全專家特洛伊?亨特表示，他已經(jīng)聯(lián)系上了其他兩名受害人并確認(rèn)了細(xì)節(jié)。不過他表示，他目前尚未得到全部泄露信息來升級(jí)他的數(shù)據(jù)庫。

搜索引擎Leaked Source已經(jīng)對(duì)這些泄露數(shù)據(jù)展開了分析。該網(wǎng)站的一位代表通過電子郵件向《財(cái)富》表示，黑客此次在網(wǎng)上售賣的這批被盜賬戶中，有大約1.6億個(gè)賬戶擁有唯一的電子郵件地址，其余的700萬個(gè)賬戶只有數(shù)字登錄賬號(hào)和密碼。這位代表還表示，由于Leaked Source的管理員手上沒有2012年黑客最初發(fā)布的那650萬條登錄信息，因此他們也就無法檢驗(yàn)此次的1.67億條信息中是否包含了上次的那650萬條。

Leaked Source的發(fā)言人還對(duì)《財(cái)富》表示：“這1.67億條登錄信息是我們通過某人免費(fèi)獲得的，而他們則是從俄羅斯人那里弄來的。他們要求我們不得透露他們的身份，否則這將危害到他們與將信息提供給他們的人之間的關(guān)系。”

上本周三，領(lǐng)英公司首席信息安全官柯里?斯科特在該公司的官方博客上發(fā)文稱：“昨天，我們得知又有一些數(shù)據(jù)被發(fā)布出來，據(jù)稱這些數(shù)據(jù)是1億多名領(lǐng)英會(huì)員的電子郵件與密碼的組合，它們也是在2012年的那次事故中被盜的。”

他表示，在2012年的泄露事故發(fā)生后，領(lǐng)英公司已經(jīng)要求“所有我們認(rèn)為已經(jīng)泄露的賬戶”修改其密碼。另外，當(dāng)時(shí)領(lǐng)英還向所有用戶發(fā)出了修改密碼的建議?！拔覀冋诹⒓床扇〈胧?，停用那些受影響賬戶的密碼。我們將很快通知這些會(huì)員重新設(shè)置密碼。我們認(rèn)為，目前沒有跡象顯示這是一次新的安全泄露事故的結(jié)果?！?/p>

斯科特補(bǔ)充道，領(lǐng)英已經(jīng)采取了加“鹽”加密技術(shù)，也就是向登錄口令中添加隨機(jī)數(shù)字，然后再對(duì)其進(jìn)行加密。這樣的登錄口令可以“好幾年”都不易被攻破。不過Leaked Source指出，它所獲取的泄露密碼也是加過密的（通過SHA-1 hash功能），但卻并沒有“鹽”功能。因此，領(lǐng)英大概是在2012年的泄露事件后才開始對(duì)密碼進(jìn)行“加鹽”的。

為了保持私人數(shù)據(jù)的安全性，領(lǐng)英用戶應(yīng)及時(shí)更換在該網(wǎng)站的密碼（以及在其他任何網(wǎng)站上使用的與其相同的用戶名及密碼），同時(shí)采取雙因素認(rèn)證的方式保證安全性（即在用戶登陸時(shí)向其手機(jī)發(fā)送安全認(rèn)證碼）。（財(cái)富中文網(wǎng)）

譯者：樸成奎

Remember LinkedIn’s 2012 data breach?

A hacker stole 6.5 million encrypted passwords from the site and posted them to a Russian crime forum. Now it appears that data theft was just the tip of the iceberg.

A Russian hacker, who goes by “Peace,” is selling 117 million email and password combinations on a dark web marketplace, Vice Motherboard reports. The going rate for the loot is five Bitcoins, or about $2,300.

Motherboard said it received a portion of the data—about one million credentials—from Leaked Source, a paid search engine for hacked data that claims to have acquired a total of 167 million of the leaked login credentials. The news outlet verified that at least one of the hacked accounts is legitimate by confirming details with one of the victims.

Cybersecurity researcher Troy Hunt, who runs the hacked data search engine HaveIBeenPwned.com, said he confirmed details with two other victims. He added that he doesn’t yet have a full set to upload to his database yet.

A person who represents Leaked Source, which has been analyzing the stolen data, told Fortune in an email that 160 million of the compromised accounts have unique email addresses, while the remaining 7 million only include numerical userids and passwords. The spokesperson said that the site’s administrators do not have access to the 6.5 million credentials initially released in 2012, meaning they are unable to check whether they are included as part of the latest set.

“We acquired the 167 million credentials for free from someone who got them from the Russians,” the Leaked Source rep told Fortune. “We have been asked not to reveal who they are or it would jeopardize their relationship with whomever provided it to them.”

Cory Scott, LinkedIn’s chief information security officer, published a post addressing the incident on the professional network’s official blog on Wednesday. “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,” Scott wrote.

He mentioned that the company had required “all accounts we believed to be compromised” to reset their passwords in 2012, and that it recommended all other users else reset their passwords as well. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords,” he said. “We have no indication that this is as a result of a new security breach.”

Scott added that the site had been encrypting and “salting”—or appending random data to the passwords before they’re encrypted to make them less crackable—”for several years.” Leaked Source noted, however, that the leaked passwords it had obtained were encrypted (with the SHA-1 hashing function), but lacked the “salting” security feature. Presumably, LinkedIn began “salting” their passwords after the 2012 incident.

To stay protected, LinkedIn users should update their passwords on the site (and anywhere else they may have reused the same password online) and also implement two-factor authentication—a feature that sends a security code to a user’s phone upon login.