About 6.5million people were initially believed to be at risk after the 2012 attack on LinkedIn – but now the business site admitted the real scale of the breach stands at 164,611,595 people.
Out of those, passwords and email addresses for 117million accounts have been listed for sale on the internet black market.
And anyone can buy the lot for just £1,568 ($2,300)
Criminals who buy the details from the Russian seller, who goes by the name Peace, will be able to access the victim’s LinkedIn account, along with any other website on which the same password and email combination is used.
This could give the criminal access to the victim’s bank account, medical history and social media profiles – making the victim hugely vulnerable to financial loss and identity theft.
LinkedIn confirmed the massive breach this week and urged users to change their passwords immediately.
Cory Scott, LinkedIn’s chief security officer, said: “We became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012.
“We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their password.”
The company did not apologise or take responsibility for the breach, which occurred due to security flaws and has left millions at risk.
The most-used passwords on LinkedIn have also been revealed in the aftermath of the breach, with some incredibly simple and easily-guessed phrases topping the list.
More than 750,000 people used ‘123456’ as their password, while 172,000 used ‘linkedin’.
Tens of thousands of people used ‘password’, ‘111111’ and ‘qwerty’ – passwords which could easily be guessed without the need for a hack.
Worried LinkedIn users can check whether their details were stolen in the breach – or from more than 100 other hacked websites including Adobe and Ashley Madison – at www.haveibeenpwned.com. Just enter your email address and the site will tell you whether it has been shared on the dark web.