An individual is selling the data of 500 million LinkedIn profiles on a popular cybercriminal forum, according to news reports.
The leaked files contain information about the LinkedIn users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more, according to CyberNews.
Users on the forum could view the leaked samples for about $2 worth of forum credits and the threat actor was auctioning the 500 million user database for at least a 4-digit sum. The threat actor claimed the data was scraped from LinkedIn. CyberNews was able to confirm this claim by looking at the samples provided on the hacker forum. LinkedIn later forming that the data for sale was not acquired as a result of the data breach and is aggregation of data from a number of websites and companies.
Other threat actors are looking to profit from this data leak. A new collection of databased was put on sale on the same cybercriminal forum by another users, for $7,000 worth of bitcoin. The threat actor claims he has obtained the original 500-million database and six other archives that purportedly include 327 million scraped LinkedIn profiles.
If true, CyberNews says, “this would put the overall number of scraped profiles at 827 million, exceeding LinkedIn’s actual user base of 740+ million by more than 10%. This means that some, if not most, of the new data sold by the threat actor might be either duplicate or outdated.”
Michael Isbitski, Technical Evangelist at Salt Security, explains, “It was confirmed that the leaked LinkedIn data set contains member IDs, full names, email addresses, phone numbers, genders, job titles, workplace information, and potentially other identifying data. These are forms of PII, and the exposure of such data certainly results in privacy impacts. Similar to the recent Facebook leak, some of the data may be older. It also appears to have been scraped from other sites in addition to LinkedIn public user profile information. LinkedIn has stated that the data it is not the result of a breach. On the severity spectrum of leaks, this is relatively lower since much of the data could likely be gathered through traditional reconnaissance techniques like internet searches and querying social media platforms.”
Isbitski adds, “We see many cases of content scraping attacks against organizations where data that is considered public or limited use suddenly becomes privacy impacting when it is pieced together or represents a significant chunk of the total user base. Attackers use the same APIs that power web and mobile applications to extract the data. They also leverage automation to grab the data at scale and aggregate it, making it useful for other attack techniques such as brute forcing, credential stuffing, phishing, social engineering, and spamming. An attacker does not have explicit authentication material like passwords with this leaked data set, but they may be able to make educated guesses based on the various PII. Email addresses are often used as user names in social media platforms, so an attacker already has one piece of the puzzle for targeting authentication mechanisms.”
And, unfortunately, individuals are limited in what they can do here, Isbitski explains. “The usual best practice of closely watching for identity theft and fraudulent transactions applies. Some of us may still have identity monitoring as carryover from other breaches, or you get such service from your bank or credit card company. Scraped data sets have become the norm since we willingly share a lot of information with internet sites and social media platforms already, and this rich data is an attractive target for attackers. The social media platforms do monitor for many types of abuse including content scraping, but stealthy attackers can also gather data slowly over time to avoid detection.”
Isbitskii suggests individuals check sites like https://haveibeenpwned.com/ and https://cybernews.com/personal-data-leak-check/ to verify if their phone number or email address was part of this leaked data set or others. “Some organizations may opt to advise their employees to reset passwords, enable 2FA, or verify privacy settings for any accounts that were part of the leaked data set. A big deciding factor is whether the leaked data was business or personal use, but with LinkedIn it may be more of the former. An employer is limited in what they can enforce here since each individual is the owner of the account, and they have no oversight over LinkedIn data. Depending on the organization’s risk tolerance, it may be advisable to continue monitoring employee consumption of such social media services from corporate networks and/or during business hours. Organizations should also ensure they have an appropriate API security strategy in place to protect their own employee and customer data from content scraping or other targeted attacks.”
Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), says, “This scraping of data from LinkedIn is a reminder of that incident a few years back, where Facebook had the same problem with Cambridge Analytica. Apparently, it is a bit bigger now for LinkedIn.
“Social media data is not only the ‘new oil’ for the mentioned giants, it is also gold for any cyber crime gang trying to use the details for phishing campaigns, CEO fraud, identity theft and quite a few other malicious ways, especially as LinkedIn sees itself as a professional network. For those LinkedIn users affected by it, the only option is to tighten their security, to raise the awareness once again, (battle the [cybersecurity] fatigue of employees). Corporations should – if not yet in place – implement the essential technical controls mandated by NIST and CIS [https://www.newnettechnologies.com/secure-controls-framework.html] now,” Schrader says.
“We are long past the time of ‘if it will happen’, and leaks like this will only shorten the time remaining in which a cybercriminal will attack the organization with a well prepared script,” he adds. “The cyber resilience posture of a company will be tested, and the best way to be prepared for that is to be aware of what you have, how you use it and for what, gain control about how any change on the devices you use. Simplified, ring-fencing your digital assets with an extra-large firewall won’t protect you. Your business processes depend on digital assets, so you need to be aware of what are the critical processes and assets and have the appropriate protection embedded.