A hacker who recently offered 700 million LinkedIn records for sale alarmed LinkedIn users and security specialists, but the company insists the data is linked to previously reported scraped data and wasn’t hacked.
The RaidForums post offering the data included a sample users’ full names, genders, birthdates, LinkedIn user names, Facebook user names, Twitter user names, GitHub user names, email addresses, phone numbers, job titles, and full company information.
PrivacySharks’ Madeleine Hodson, the first to report the new leak, noted that while it appears simply to be a “cumulation of data from previous leaks,” that data could still include private as well as public information. What’s more, Hodson observed, the email addresses and phone numbers in the leak can easily be leveraged for email or phone scams, spam campaigns, and identity theft.
“Brute force attacks are also something that LinkedIn users affected by the leak will need to be aware of,” Hodson added. “Using email addresses provided in the records, hackers may attempt to access users’ accounts using various combinations of common password characters.” In response, Hodson urged all LinkedIn users to update their passwords and enable two-factor authentication.
RestorePrivacy examined the sample posted online and found that it does appear to be authentic, linked to real users, and up to date. “While we did not find login credentials or financial data in the samples we examined, there is still a treasure trove of information for bad actors to exploit for financial gain,” RestorePrivacy’s Sven Taylor wrote.
Taylor observed that, since LinkedIn boasts 756 million members worldwide, the leak appears to include information on fully 92 percent of the company’s user base.
LinkedIn API, Other Sources
While the hacker, who goes by TomLiner, told RestorePrivacy he accessed the data by exploiting LinkedIn’s own API to harvest user information, LinkedIn said not all of the leaked data could have been acquired via the API, and that some of it likely came from other sources.
Further reading: How to Control API Security Risks
It’s also unclear exactly how much information is included in the data. RaidForums member xSnorlax complained earlier today about the accuracy of TomLiner’s claims, noting, “I’m about halfway with the downloads, and tbh, it’s not looking too good, 100 compressed files with about 500,000+ lines in each of them. That’s 50mil lines, not 700m. I would recommend staying clear for now.”
The same person later added, “Tom sent me another URL to download parts 100-400. At 400 compressed files, 500K entries each, that’s still only 200mil entries.” Soon after, xSnorlax reported, “I’ve checked the files, and I would say only 30%-40% of the lines contained e-mail information. As reports have stated, this is likely scraped instead of a breach.”
If so, there’s still a market for that information. ImmuniWeb founder, CEO and chief architect Ilia Kolochenko told eSecurity Planet that a grey market for scraped data has been in place for several years, “attracting diversified buyers from banal spammers to sophisticated hacking groups who search for up-to-date records to launch large-scale phishing and social engineering campaigns.”
The incident follows an earlier claimed leak of 500 million LinkedIn records two months ago. At the time, LinkedIn claimed that the data had been aggregated from several different websites and companies, including “publicly viewable member profile data that appears to have been scraped from LinkedIn.” The company added, “This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.”
LinkedIn had a similar response to the recent leak. “We want to be clear that this is not a data breach and no private LinkedIn member data was exposed,” the company said in a statement published yesterday. “Our initial investigation has found that this data was scraped from LinkedIn and other various websites and includes the same data reported earlier this year.”
The statement also noted that any misuse of LinkedIn members’ data, including scraping, violates the company’s terms of service. “When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable,” the company said. In a separate notice, LinkedIn said it’s “constantly working to improve our technical measures and defenses against the operation of scraping, automation, and other tools that abuse LinkedIn’s platform.”
Based on the events of the past few months, it appears those defenses are insufficient. Qualys CISO Ben Carr told eSecurity Planet that all platforms should be constantly reviewing and logging where their data resides and how it’s accessed. A site like LinkedIn, Carr said, needs to “make sure that access through APIs is secure, identify anomalous activity, shut it down, and ensure that proper controls like multifactor authentication are in place.”
A Wake-Up Call for Social Media Users
Charles Brook, threat intelligence specialist at Tessian, told eSecurity Planet that the incident should serve as a huge wake-up call for users to recognize the vulnerability and malleability of their data. “While credit card data, private messages and other sensitive information were not leaked, there are still significant security ramifications that LinkedIn users should consider,” he said.
The names, genders, email addresses, phone numbers and industry information in the data, Brook said, could easily be leveraged by hackers to launch targeted attacks. “Convincing social engineered attacks can trick people into wiring large amounts of money or sharing sensitive information,” he said. “While the leaked data might have already been publicly accessible information, this serves as a reminder to know where your data lives online, what you share and who has access to it.”
A recent Tessian survey of 4,000 working professionals found that fully 84 percent of respondents post on social media every week, and 42 percent do so every day. “This leak should also prompt people to take inventory of their social profiles and set them to private to better control who can view posts and content,” Brook said. “Bottom line? It’s important to be aware of how the information you share online can be used against you in order to avoid falling victim to a social engineered attack.”