Although social networks are frequently linked with a younger population and unprofessional behavior, the phrase “technically” encompasses networks that are utilized for more important topics as well. LinkedIn’s name has become synonymous with professional networking for more than a decade, similar to what you’d do at parties and social gatherings, but entirely online.
It might not be as big as a catch as Facebook, but that still makes LinkedIn a prime target for hacks and leaks, as shown by this latest incident involving 700 million user records.
LinkedIn was not hacked, or at least that’s what the company asserts, and none of the network’s members’ personal information was leaked.
According to LinkedIn, the figure of 700 million, which is more than 92% of its total 756 million users, was derived from a simple yet extensive data scraping activity. The full names, email addresses, phone numbers, and work information of the users were all included in this data mine. The seller, who goes under the moniker “GOD User” TomLiner, offered 1 million records as proof of the windfall, which were independently verified as authentic.
The database, which includes phone numbers, physical addresses, geolocation data, and estimated salaries, is for sale on the dark web. The sample of 1 million records has been provided by the hacker who stole the data, and checks have shown that the data is both legitimate and up-to-date.
RestorePrivacy reports the hacker appears to have downloaded the data through the official LinkedIn API, which was also utilized in a previous attack in April.
On June 22nd, a user of a popular hacker advertised data from 700 Million LinkedIn users for sale. The user of the forum posted up a sample of the data that includes 1 million LinkedIn users. We examined the sample and found it to contain the following information:
- Email Addresses
- Full names
- Phone numbers
- Physical addresses
- Geolocation records
- LinkedIn username and profile URL
- Personal and professional experience/background
- Other social media accounts and usernames
Based on our analysis and cross-checking data from the sample with other publicly available information, it appears all data is authentic and tied to real users. Additionally, the data does appear to be up to date, with samples from 2020 to 2021.
We reached out directly to the user who is posting the data up for sale on the hacking forum. He claims the data was obtained by exploiting the LinkedIn API to harvest information that people upload to the site.LinkedIn
This isn’t the first time LinkedIn has had a major data breach this year. A batch of 500 million user details was also offered to the highest bidder last April. LinkedIn issued the same statement at the time, blaming it on data harvesting techniques, which are already against its terms of service.
While no passwords are supplied, the site cautions that this is still valuable information that may be exploited for identity theft and convincing-looking phishing efforts to get login credentials for LinkedIn and other sites.
While we’re still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected.LinkedIn
Someone was able to scrape millions of records, whether using the API or otherwise, which is unquestionably a security breach.