LinkedIn Denies Massive Data Breach


Staff Writer

A hacker posted the personal information of 700 million LinkedIn users on the darknet last week. That data was obtained through the LinkedIn application programming interface (API) and other external sources. It the second significant cybersecurity incident this year on the professional networking platform.

On June 22, a hacker began advertising data from LinkedIn accounts on RaidForums. Saying data from 700 million (or 92% of all LinkedIn users) was available for sale, the hacker provided a sample of a million records as proof.

The data available included email addresses, full name, phone numbers, physical addresses, geolocation records, LinkedIn username and profile URL, personal and professional experience, gender, and other social media accounts and usernames.

Login credentials and credit card details held by LinkedIn was not included in the list of available data.

Earlier this year, LinkedIn made the news when hundreds of millions of user details were also posted for sale on a darknet forum. At the time, LinkedIn denied a data breach had occurred. The social media giant said the information was an aggregation of data from multiple websites and companies. But LinkedIn admitted it also included publicly viewable member profile data that was scraped from user profiles.

On Tuesday, LinkedIn also denied a data breach had occurred. In a statement, the company said;

“Our initial investigation has found that this data was scraped from LinkedIn and other various websites and includes the same data reported earlier this year in our April 2021 scraping. We want to be clear that this is not a data breach and no private LinkedIn member data was exposed.”

Principal security strategist at Synopsys, Tim Mackey, says while the cybersecurity breach may not constitute a data breach, the misuse of LinkedIn’s API leaves millions of LinkedIn users open to identity theft, phishing attempts, social engineering attacks, and hacked accounts.

“Data loss is data loss,” Mackey says. “Where legitimate users care about terms of service, criminals won’t. This is an important detail for anyone exposing an API on the internet – it’s only a matter of time before your APIs are discovered and abused.”

As organisations shore up their cybersecurity defences following several recent high profile data breaches, Mackey suggests hackers will shift their focus to abusing legitimate access methods like APIs provided by businesses to access data.

Alex Balan, Director of Security Research at Bitdefender, says users can expect their personal data to be disseminated.

“Information we are constantly sharing with an increasing number of people, social media networks and organizations. It’s only a matter of time before this information is exposed to cybercriminals,” he says.

Balan says social media companies like LinkedIn continue to get better at preventing scraping bots and other information-gathering tools. But he argues social media platform users need to be informed and remain careful about personal data they submit.

“The most basic and imperative action is to know when that happens. Be mindful of your constantly growing (and never shrinking) online dossier/file.

“It’s our job as informed consumers to be aware of the information we expose publicly and how cybercriminals can use it in a worst case scenario.”