SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
600 million profiles for sale on hacker forum - Third LinkedIn scrape in four months
Tue, 13th Jul 2021
FYI, this story is more than a year old

LinkedIn has experienced another huge data scape, the third in four months, with 600 million profiles for sale online.

The LinkedIn profile data is for sale on a hacker forum for an unknown sum, and this time the threat actor claims the information is better than the last batch. They have shared samples that include full names, email addresses, and social media links, among other details.

While the data may be publicly available, all that information on hand makes it easy for malicious actors to quickly and conveniently choose social engineering targets with impunity.

Despite this, LinkedIn is unwilling to treat data scraping as a security issue.

“Our teams have investigated a set of alleged LinkedIn data that has been posted for sale. We want to be clear that this is not a data breach and no private LinkedIn member data was exposed,” LinkedIn said in a June statement following the data scrape of 700 million profiles.

Notably, LinkedIn has taken legal action against the talent management company hiQ Labs, which scrapes public LinkedIn data for employee information. hiQ Labs has contended that a ruling against data scraping could profoundly impact open access to the Internet.

The sample provided by the forum post author contains 632,699 LinkedIn profile entries, which include 154,204 user email addresses.

The data in the sample includes:

  • LinkedIn Ids
  • Full names
  • Email addresses
  • Phone numbers
  • LinkedIn profile URLs
  • Links to other social media profiles
  • Gender
  • Birthdates
  • Locations
  • Professional titles and other work-related data

The data can be used by threat actors in a number of ways. Phishers and spammers often use data acquired from scrapers to find new victims. For example, they might extract scraped public contact details and use them for robocalls, spam lists, and social engineering attacks, in which they can manipulate users into revealing their personal information and banking details.

Many web applications use scraping mitigation tools to help protect against hostile data collection by bots and threat actors. So far, LinkedIn hasn't implemented any robust anti-scraping measures.