What the scraped data of 500 million LinkedIn users being sold online means for Aussie users


A recent report that an archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample. Jacqueline Jayne, Security Awareness Advocate, KnowBe4 APAC, provides an update on what this means and how Australian LinkedIn users can protect themselves:

“Data scraping is a technique in which a computer program extracts data from human-readable output coming from another program. This kind of information is publicly visible on a website.  What we are seeing here is a large database or collection of this data being sold for nefarious reasons.  A data breach on the other hand is where no- publicly visible information is stolen via unauthorised methods.

What can scammers and hackers do with the information that is on the list?
With your phone number, LinkedIn ID, full name, email address, links to your other social media profiles and naturally professional titles and other work-related data, you are a target for social engineering, spam marketing and account takeovers.

This group of personally identifiable information (PII) can be used for verification purposes.  Many times when your bank, telco or healthcare provider calls they ask you some verification questions to which these provide answers.  In addition to that this kind of information can be used in social engineering.

Here, scammers and hackers can use this information to build a profile of you.  They could look for additional publicly available information on LinkedIn or other social media apps and craft a very convincing email designed to trick you into believing something that is not true.  For example, you might receive a call from someone pretending to be from your high school wanting to connect again after such a long time or if you are single you might be targeted by romance scammers.  Take a moment to think about how much information we share about ourselves across social media, the internet and the sheer volume of previously breached data that is available.  There is a high chance that our online profiles are robust and full of information that can be used to trick and manipulate us.

How can you protect yourself?
Update your LinkedIn password and make sure you have activated two-factor authentication (2FA).  There are three options to choose from and if you don’t have a physical security key, go with the second option and set up a third-party authentication app such as Google Authenticator which will generate a 6-digit code to support your login. https://www.linkedin.com/help/linkedin/answer/544/turn-two-step-verification-on-and-off?lang=en

While you’re at it, take the opportunity to update other passwords, check privacy settings and set up 2FA wherever you can.
Check to see if your email address(es) have been caught up in this or any past data breach https://haveibeenpwned.com/)

Be hyper-vigilant if you are asked to share or confirm any of your personal information via incoming communication channels such as SMS, phone calls and emails.  If you are making direct outgoing contact via official channels (phone or app or website) to your bank, telco, healthcare provider etc. the verification process is safer as you have made contact with them (not the other way around).  It is important to remember that scammers and hackers will create very convincing emails that look like they are coming from well-known brands.  If you do receive such an email, don’t click on anything, reply to it or open any attachment.  Rather, leave your inbox, go to your internet browser and search for the official website and pick up the phone to validate the email.”