In 2012, LinkedIn was breached. The attackers stole 117 million email and password combinations. LinkedIn's security team initially said the passwords were "hashed" — technically true, but they were hashed with MD5 without salt, which is as close to plaintext as it gets.

In 2016 — four years later — those 117 million records appeared for sale on a dark web marketplace for 5 bitcoin ($2,200 at the time). Within days, the hashes were cracked. Tools like hashcat can test billions of MD5 guesses per second on a modern GPU. Common passwords fell in milliseconds.

The same LinkedIn credentials were then used in credential stuffing attacks against hundreds of other services — Dropbox, Netflix, Spotify. People reuse passwords. One poorly protected database becomes a skeleton key.

LinkedIn also delayed notifying users for four years. By the time most people knew their password had been exposed, attackers had been using it for years.