The LinkedIn Breach That Stayed Hidden for Four Years
6.5 million leaked passwords were actually 167 million — and the gap between those two numbers is the whole story.
In June 2012, six and a half million LinkedIn passwords appeared on a Russian-language forum. LinkedIn confirmed the breach within days, invalidated the exposed accounts, and began upgrading its password storage. The incident looked contained — a serious but bounded failure, managed and closed.
It wasn’t. Four years later, a dataset surfacing on a dark web marketplace revealed the actual number: a hundred and sixty-seven million accounts. And because of how those passwords had been stored, researchers cracked the vast majority in under twenty-four hours.
The gap between 6.5 million and 167 million is where this story lives.
How it actually happened
For years, the explanation for how the attacker got in was SQL injection — a database manipulation technique that appeared in civil litigation filings. The criminal trial told a different story. The attacker, Yevgeniy Nikulin, targeted a single LinkedIn employee whose work machine was running a virtual machine — a sealed environment hosting a personal web server as a side project. Think of a house with a sealed room inside it. As long as the room holds, the side project is harmless. Nikulin broke out of the room, through a flaw in the software layer beneath it, and from there reached the employee’s access to LinkedIn’s corporate network.
One stolen VPN credential later, he had the entire user database.
Why salting was the whole game
What he took were hashed passwords — passwords run through a one-way mathematical transformation. Hashing alone wasn’t the failure. The failure was that LinkedIn didn’t salt its hashes: it didn’t add a unique random value to each password before hashing it. Without salt, ten thousand people who chose the same password produced ten thousand identical hashes. Crack one, and you’ve cracked all ten thousand. Salting wouldn’t have made any single password harder to break — it would have made the entire database exponentially harder to break at scale. That one decision is the difference between a nuisance and a catastrophe.
The four-year silence
LinkedIn’s response in 2012 was real and, measured against what it believed had happened, proportionate. It reset the 6.5 million accounts in the public dump. But it never determined that the entire database had left the building. The remaining 160 million accounts were never forced to reset — they sat unchanged, unsalted, and crackable for four years while the full database circulated privately. In 2016 it surfaced for sale. The same year, Microsoft bought LinkedIn for roughly $26 billion.
Why this is about you
A cracked password is only worth something if it’s reused. Credential stuffing — taking a stolen email-and-password pair and trying it automatically against hundreds of other services — turns one company’s breach into an attack on every platform where you used the same password. The LinkedIn database became foundational material for nearly a decade of these attacks against platforms that had nothing to do with LinkedIn.
The full breakdown — the intrusion, the hashing, the response, and the economy it created — is in the episode.
🎧 Listen / watch above. Zero Day Logs is a documentary series on the security failures that shaped the internet.
