Cybersecurity news – NetworkTigers – 30 June 2021.
SAN MATEO, CA — LinkedIn data breach denied today following a massive trove of LinkedIn user data posted for sale Tuesday 22 June. The data was posted on RaidForums, an online marketplace for users to share and sell information gathered from leaks, breaches, and hacks. The data contains email addresses, geolocation records, usernames, profile URLs, personal and professional experience, gender, and links to other social media accounts and usernames.
Insisting it was not a breach, LinkedIn said today,
“Our teams have investigated a set of alleged LinkedIn data that has been posted for sale. We want to be clear that this is not a data breach, and no private LinkedIn member data was exposed.”
The collection reportedly has information related to 700 million LinkedIn users, which is over 92% of the 756 million users of the platform. To put it plainly, almost every single LinkedIn user can probably find their data within the files offered for sale.
The RaidForums poster, going by the name “TomLiner,” released a sample of the data to verify the legitimacy of their claim. Researchers have determined that the information posted for sale is both up to date and accurately advertised.
How was the LinkedIn data collected?
This data was allegedly acquired using a common technique known as “data scraping.” Data scrapers typically use a program to pull information from one human-readable document or database to easily study it or transfer it to another location. The hacker reportedly was able to misuse LinkedIn’s API, or Application Program Interface, in order to access and collect the data.
The information collected in this batch, like the scrape from last April, is not stolen, private data, but rather publicly available information that the hacker aggregated into one easily accessible lot.
What is being done about it?
A rather egregious aspect of this particular incident is that no one was informed of the data’s availability until the hacker made it known. Even then, LinkedIn did not make a formal, public statement until today, 7 days after the data was posted for sale, and seemingly only after news organizations were tipped off to the post and began reporting on it.
LinkedIn finally acknowledged the issue with an official statement (above) and added
“Our initial investigation has found that this data was scraped from LinkedIn and other various websites and includes the same data reported earlier this year in our April 2021 scraping update.”
LinkedIn’s statement seems to imply that they will be pursuing charges against the perpetrator of the scrape, implying that there will be consequences for whoever carried out this action:
“Members trust LinkedIn with their data, and any misuse of our members’ data, such as scraping, violates LinkedIn terms of service. When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.”
What is the danger of the LinkedIn breach?
While the company is correct in that the data was not collected in what would technically be a “breach,” their statement falls a little flat with regard to the security of their users. The scraped data still provides malicious actors with a tremendous amount of user information that can be used to engage in phishing scams and other crimes that can be more efficiently carried out thanks to the convenience of having so much material in one spot.
Savvy hackers, of which there are many, can pull credentials together to engage in successful efforts to grab credit card information, or even commit identity theft. Brute force attempts to break into user accounts are also made possible with remarkably little to start from.
How can this be prevented in the future?
Web scraping, by its nature, is not illegal. In many cases, it is a helpful tool used for market research across social media and other platforms. However, it is a double-edged sword that can also be utilized by bad actors for malicious purposes.
It is unclear how such an event can be prevented in the future without changes to current laws and, as is often the case, most of the mitigation falls onto individuals who need to continually be vigilant and on guard when it comes to their online activity.
LinkedIn users are encouraged to change their passwords and be extra cautious with regard to any suspicious emails or activity across their banking, social media, and credit card accounts. Individuals can also utilize Have I Been Pwned? an online resource to see if their credentials have been involved in a data leak or breach.
Sources
- LinkedIn breach reportedly exposes data of 92% of users, including inferred salaries , by Ben Lovejoy, 9to5Mac, 29 June 2021
- An update on report of scraped data, LinkedIn Corporate Communications, 29 June 2021
- Massive new LinkedIn data breach hits 92 percent of users; how hacker did it and yes, you should worry, HT Tech, 30 June 2021
- Exclusive: 700 Million LinkedIn Records For Sale on Hacker Forum, June 22nd 2021, by Madelein Hodson, Privacy Sharks, 27 June 2021
- Is web scraping legal? A guide for 2021, by Tony Paul, LinkedIn, 29 Dec 2020
More cybersecurity news
Read more cybersecurity news and articles brought to you by NetworkTigers.
About NetworkTigers
NetworkTigers was founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms. Today, NetworkTigers provides consulting and network equipment to businesses and individuals globally. www.networktigers.com