A second massive Linkedln breach exposes the personal data of 700 million LinkedIn users (nearly 92% of the total 756M users). Data has been sold on the dark web, with records including phone numbers, physical addresses, inferred salaries, and geolocation data.
Based on a report by RestorePrivacy, hackers have released a data sample that includes information about 1 million users. The same report says that the hacker seems to have misused the official Linkedln API to download the data, the same method used back in April, in a similar breach.
“On June 22nd, a user of a popular hacker advertised data from 700 Million LinkedIn users for sale. The user of the forum posted up a sample of the data that includes 1 million LinkedIn users.”
According to the report, these data appear to be recent, with samples from 2020 and 2021. In a statement, a LinkedIn spokesperson disputed this, saying: “We’ve investigated and there is no evidence that this is new data or that the data comes from 2020 and 2021.” You may wonder “How much is the price for such a massive collection of data?”.The answer, no more or less than 5.000$.
What information has been stolen from Linkedln?
The data checked by the website does not include login credentials or financial information, but it does include a large amount of personal information that can be used to impersonate someone, including:
- Full names
- Phone numbers
- Email addresses
- Physical addresses
- LinkedIn usernames and profile URLs
- Geolocation records
- Personal and professional experiences and backgrounds
- Other social media accounts and usernames
However, LinkedIn insists that most of the data is not crawled from its website, and said: ” LinkedIn’s current investigation indicates phone number, gender, inferred salary, and physical address in this data set did not come from LinkedIn.”
The hacker who claims responsibility for the data breach claims to have obtained the data using the same manner used in a huge data breach back in April. Personal information from 500 million people was sold online.
The business company, which reports having 756 million members, released a statement on Tuesday claiming that the data for sale was not the result of a breach, but rather someone merely collecting data from a vast database that was publicly available: “It’s not a breach if it’s public info”, says the company.
According to the company: “Our teams have investigated a set of alleged LinkedIn data that has been posted for sale. We want to be clear that this is not a data breach and no private LinkedIn member data was exposed. Our initial investigation has found that this data was scraped from LinkedIn and other various websites and includes the same data reported earlier this year in our April 2021 scraping update…When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.”
What is the danger behind a data scraping?
Tom Kelly, president, and CEO of IDX explained that:
“Data scraping is the process of extracting data from websites without the explicit permission of the individual whose data is being scraped. It is often dangerous, because it leaves users’ personal identifiable information (PII) vulnerable and can lead to compromise of the individual’s privacy. Data scraping can open doors for cybercriminals and hackers to use this data to spearhead further cyberattacks and can give hackers to ability to perpetrate very effective spear-phishing attacks.”Tom Kelly
You might think that simply blocking all data-scraping activity would be the solution. However, Andrew Useckas, CTO and co-founder at ThreatX, says that there are plenty of legitimate uses for data scrapers.
“Data scraping or web scraping is semi-malicious activity. Whether it is considered good or bad, or happening a lot or little, is subjective. For example, big companies scrape their competitors to get the latest pricing and info, etc. Strictly speaking, it’s not bad unless it causes issues for the customer. Some customers like scraping as it increases their marketing footprint.”
However, LinkedIn isn’t alone in this. It was revealed in April that in September 2019, the data of more than 533 million Facebook users were scraped. Linkedln’s public information is more valuable for threat actors, according to Hoala Greevy, founder and CEO of Paubox. The difference is the business intelligence that can be obtained.
“In today’s society, people keep their LinkedIn profiles studiously current. Job title and current employer are especially manicured on LinkedIn. If this information can be scraped at scale, you can determine where everyone works and where everyone sits in the org chart.”
That information can then help the attackers collect large amounts of data on how a company operates and go on to exploit it. Paubox stated that: “If a bad actor can map out an organization’s org chart, they can use that to launch display-name spoofing attacks, which are targeted phishing attacks that use the display name field of an email to impersonate a person of authority (i.e., CEO, CFO)”.
“Why does the attack works?” Because 70% of employees read their emails on a smartphone.
When a data scrape can be considered as dangerous as a breach?
As a worst-case scenario, these large collections of data are being collected and used by hackers to personalize their attacks and making them more powerful, which is what appears to be happening to the Linkedln profile data of those 88.000 business owners whose data was just released into the cybercrime field.
Daniel Markuson, a digital privacy expert at NordVPN, says that data scraping can leave unsuspecting folks vulnerable to being scammed, although is less risky than hacking directly.
“As we saw in the Facebook scraped data-leak incident, the database did contain personal data like phone numbers and emails. Essentially, if cybercriminals get ahold of this type of personal data, it can be used for better phishing attempts and various other forms of scams.”Daniel Markuson
In the end, it’s up to users to protect themselves from attacks powered by data scraping by keeping their personal identifiable information off social media, enabling two-factor authentication (2FA) on accounts, and being aware of finding potentially malicious communications, including texts, email, voice messages, and in-platform messaging services.
Markuson explained that: “If privacy is a priority, social media is not your friend. The rise of biometric data scraping (some corporations build their facial-recognition databases using images scraped from Facebook and Instagram) demonstrates that social media is a huge threat to personal privacy.”