After hackers stole usernames and passwords from LinkedIn Corp. LNKD -2.45 % in 2012, the company spent close to $1 million on an investigation that determined that 6.5 million users had been affected.
This week, LinkedIn acknowledged that it underestimated the impact—by more than 100 million users, whose passwords may have been compromised for years.
The new disclosure, in a LinkedIn blog post on Thursday, came after a hacker claimed to have a database of 117 million usernames and passwords. The professional social network, which now has 433 million members, said it would force users who hadn’t reset their passwords since 2012 to do so.
For companies like LinkedIn, responding to a data breach represents a difficult balancing act. Computer intrusion is a murky business and data-breach investigations don’t always reveal the entire picture, said Charles Carmakal, vice president with the Mandiant unit of FireEye Inc. FEYE -0.74 %
Mr. Carmakal said it isn’t unusual for companies to fail to realize the full extent of a hack. “It could be that the hackers cleaned up their trails that they were there,” he said. “We see lots of organizations that lose terabytes of data that don’t notice that it has happened.”
In 2012, LinkedIn knew that at least 6.5 million passwords had been compromised because that many had been released on a Russian hacking forum. Then, the company faced a choice between security and convenience. It could have forced all of its then-161 million members to reset their passwords, but that could have frustrated many users or made them unhappy.
This week, security experts said LinkedIn would have been better off with unhappy users, and showing the world that it was serious about security.
LinkedIn’s decision to conservatively estimate the size of its 2012 breach was unusual.
“Most companies over-notify,” said Chris Hoofnagle, a University of California, Berkeley, professor who studies privacy and data breach laws. “That’s what’s a little strange about this one.”
LinkedIn spokesman Hani Durzy defended the company’s 2012 actions. “We made the decision to invalidate the accounts that used any of the 6.5 million passwords released in 2012 based on the information we had available at the time,” he said.
In that sense, LinkedIn may not be in a unique position. “It’s something that a lot of organizations struggle with,” Mr. Carmakal said. “In general, most victims will only publicly disclose data based on evidence and facts that they have.”
—Deepa Seetharaman contributed to this article.
Robert McMillan at Robert.Mcmillan@wsj.com