Just a few days after a massive Facebook data leak made the headlines around the globe, it seems like we’re in for another one, this time involving LinkedIn. A massive archive with data purportedly scraped from 500 million LinkedIn profiles leaked and was put for sale on a popular hacker forum. The author even included an extra 2 million records as a “proof-of-concept” sample.
The trove of stolen LinkedIn data includes:
- user IDs,
- full names,
- email addresses,
- phone numbers,
- professional titles, and,
- other work-related data.
LinkedIn officials point out that the data set is actually an aggregation of data from a number of websites and companies. According to them, LinkedIn did not suffer a data breach involving hackers penetrating the company’s internal databases to siphon information. Instead, the criminals scraped the data from LinkedIn’s public-facing service, not unlike the recent cybersecurity incident at Facebook.
“Any misuse of our members’ data, such as scraping, violates LinkedIn terms of service. When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable,” LinkedIn said in a statement.
Even More LinkedIn Accounts Leaked?!
It is interesting that LinkedIn merely cites a “violation of policy” with this latest breach. It’s like the Louvre saying stealing art is a violation of policy instead of a theft. While we are responsible for managing our passwords and login credentials appropriately, companies need to ensure they’re securing our data. We pay them to secure and exchange data and in this case for access to professionals networks on the site. Clearly, this has value. As the article states this now opens those whose information was scraped to multiple threat vectors and to be spoofed, phished, and impersonated. It isn’t good and there will be more to come. We need to be proactive here. Not reactive.
Chris Story, MBA, Sr. Consultant
As we said, the 4 leaked files containing the information about LinkedIn users were first put on a popular forum. Originally, the users on the hacker forum could view the leaked samples for about USD 2 worth of forum credits. Afterwards, the hacker then tried auctioning the much-larger 500 million LinkedIn profiles leaked for a 4-digit sum – assumedly in bitcoin.
As a result, Italy’s privacy watchdog to begin an investigation into the. Italy has one of the highest LinkedIn subscriber counts among the European countries. The authorities called on affected users to pay particular attention to any anomalies in relation to their phone numbers and accounts.
Sadly, it seems that this story did not end with only 500 million LinkedIn profiles leaked.
“It seems that other threat actors are looking to piggyback on the leak. On Friday, a new collection of LinkedIn databases has been put for sale on the same hacker forum by another user – for USD 7,000 worth of bitcoin. The new author claims to be in possession of both the original 500-million database, as well as six additional archives that allegedly include 327 million scraped LinkedIn profiles,” reports Cyber News.
If this information is correct, than the overall number of scraped profiles is at 827 million. This exceeds LinkedIn’s actual base of more than 740 million users by more than 10 percent. However, if that is the case than some, if not most, of the new data is either duplicate or old.
What Now?
So, what can be done with all this data?
Well, a number of unpleasantries could be in store for the people whose profiles are on the list. They could be:
- Targeted by phishing attacks;
- Their emails and phone numbers could be spammed; or,
- Their LinkedIn profiles and email addresses could be brute-forced etc.
For competent cybercriminals the email address alone is enough to wreak havoc. And combined with the other info in the leaked files, malicious people could try to create detailed profiles in complex social engineering schemes or phishing attempts – or simply commit identity theft.
Therefore, if you fear that your information might have been among the 500 million LinkedIn profiles leaked in this breach, we suggest that you:
- Check if your email and phone number have been compromised by using Have I Been Pwned.
- Stay on the lookout for any suspicious messages or requests from strangers.
- Consider changing your passwords.
- Definitely use two-factor identification.
- Absolutely do not click on anything suspicious.
