92% of LinkedIn users’ data found on hackers site for sale

A second massive LinkedIn breach reportedly exposes the data of almost 700m of the total 756m users.
1 July 2021

700m LinkedIn users’ data up found on hackers site for sale. (Photo by JUSTIN SULLIVAN / GETTY IMAGES NORTH AMERICA / Getty Images via AFP)

  • The database is for sale on the dark web, with records including phone numbers, physical addresses, geolocation data, and inferred salaries
  • LinkedIn however denied any compromise of data, the same way it did after a similar occurrence just two months ago

Not long after we learned that more than 500 million LinkedIn accounts were scraped, a report yesterday revealed a second round of data exposure, that saw almost 92% of the professional networking platform’s users’ data being exposed and sold on the dark web, with records including phone numbers, physical addresses, geolocation data, and inferred salaries.

Reports indicated that the hacker who obtained the data has posted a sample of one million records, and checks confirm that the data is both genuine and up-to-date. According to reports by RestorePrivacy, the hacker appears to have misused the official LinkedIn API to download the data, the same method used in a similar breach back in April.

“On June 22, a user of a popular hacker advertised data from 700 million LinkedIn users for sale. The user of the forum posted up a sample of the data that includes one million LinkedIn users. We examined the sample and found it to contain the following information: e-mail addresses, full names, phone numbers, physical addresses, geolocation records, LinkedIn username and profile URL, personal and professional experience/background, genders, other social media accounts, and usernames.

“Based on our analysis and cross-checking data from the sample with other publicly available information, it appears all data is authentic and tied to real users. Additionally, the data does appear to be up to date, with samples from 2020 to 2021. We reached out directly to the user who is posting the data up for sale on the hacking forum. He claims the data was obtained by exploiting the LinkedIn API to harvest information that people upload to the site,” the report stated.

Although no passwords are included, as the site notes, it is still valuable data that can be used for identity theft and convincing-looking phishing attempts that can themselves be used to obtain login credentials for LinkedIn and other sites.

LinkedIn denies, again

For the previous breach, LinkedIn did confirm that the 500 million records included data obtained from its servers, but claimed that more than one source was used. This time around, the company has issued a similar statement. “Our teams have investigated a set of alleged LinkedIn data that has been posted for sale. We want to be clear that this is not a data breach and no private LinkedIn member data was exposed,” the company said in a note posted on its website. “Our initial investigation has found that this data was scraped from LinkedIn and other various websites and includes the same data reported earlier this year in our April 2021 scraping update.”

Regardless of how the data ended up in the hands of a seller on one of the most notorious data marketplaces around, it’s still a potentially huge problem for the 700 million people whose details are included. Frankly, when a user publishes information about themselves online, the reality is that it’s out there for anyone who happens upon it to read, download, store and analyze. The only thing standing in the way is a site’s terms of service (ToS).

LinkedIn notes that its ToS does expressly prohibit data scraping and the company has shown a willingness to litigate — most notably against the “data analytics” startup hiQ. The 9th US Circuit Court of Appeals ruled data scraping was legal in 2019. LinkedIn pushed the case all the way to the US Supreme Court, which earlier this month threw out the lower court’s original ruling. LinkedIn will now have another chance to plead its case in the 9th Circuit.