700 Million 'Scraped' LinkedIn User Records Offered for SaleSocial Media Platform Says No Private Data Exposed
Some 700 million records of LinkedIn users have been offered for sale on the hacker forum RaidForum, the news website PrivacySharks reports. The social media platform, and several security experts, say that the offering stems from the "scraping" of records from websites and not a data breach.
The records offered for sale include information such as full names, gender, email addresses, phone numbers and industry information, Privacy Sharks reports.
"We want to be clear that this is not a data breach and no private LinkedIn member data was exposed," Microsoft-owned LinkedIn tells Information Security Media Group. "Our initial investigation has found that this data was scraped from LinkedIn and other various websites, and includes the same data reported earlier this year in our April 2021 scraping update."
Records of users of LinkedIn, Facebook and Clubhouse were discovered for sale in April.
"Members trust LinkedIn with their data, and any misuse of our members’ data, such as scraping, violates LinkedIn terms of service," LinkedIn says. "When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable."
When asked to provide risk mitigation measures, the Sunnyvale, California-based company pointed to a help page that lists prohibited software and extensions.
Tracing the Exposure
Victoria Kivilevich, a threat intelligence analyst at Israeli cyberthreat intelligence monitoring firm Kela, says the LinkedIn records offered for sale appear to have been obtained via an API offered by GrowthGenius, which can be used to run searches on 572 million LinkedIn records, among other types of information.
"We have obtained the sample records shared by the threat actor," Kivilevich says. "According to our review of the headers of the fields available in the data set, we assess with high confidence that it was scraped using this API."
GrowthGenius didn’t immediately respond to a request for comment.
Echoing Kivilevich, Paul Bischoff, privacy advocate at technology company Comparitech, says the stolen user data now being offered for sale was not exfiltrated from a private or secure source, but was taken from publicly accessible LinkedIn web pages using an automated scraper.
"Scrapers are bots that sift through a site's pages one by one, copying and pasting text and other information into a database," he says. "To LinkedIn, scrapers are often indistinguishable from legitimate users, which makes it very difficult to block them. No matter what LinkedIn says about enforcing its terms of service, the truth is that scrapers won't be stopped any time soon. Facebook and other social networks similarly struggle to block scrapers, and Facebook is reportedly trying to normalize the practice after hundreds of millions of its users' profiles were scraped and dumped online."
Although scraping is against most social networks' terms of service, using scrapers isn't illegal, Bischoff says. "There are many people who argue that any information that's publicly accessible is fair game for scrapers, and that scrapers can be used for legitimate purposes such as academic research and journalism," he adds.
Create a Policy
Because of the risk posed by potential scraping of information posted, organizations should create a clear policy on what information employees can and cannot share on social media, blogs or through other communication, says Jerry Gamblin, director of security research at Kenna Security and founder of the Mid-Missouri Open Web Application Security Project Foundation.
For example, posting of company names and job titles is acceptable, as are professional photos of employees, says Morey Haber, CTO and CISO of the security firm BeyondTrust. But details about work projects or travels should not be posted, he says.
Although government agencies can set strict policies on social media postings, companies cannot enforce such policies unless a posting violates local laws or can be proven to be harmful to the business, he adds.
While reviewing public information on social media is well within the rights of employers, asking for access to private social networking accounts is not acceptable, says Gamblin, who is also a former security specialist for the Missouri House of Representatives.
"The primary difference is based on intent," he says. "It is unwarranted if additional steps are taken to observe things that were private behind a secure login without the user's consent."
The Association of Certified Fraud Examiners has published a social media policy template that can be adapted to individual companies.
Haber warns against posting on business-related social media profiles photos or content that are inflammatory to the business or peers. He also urges avoiding posting anything that might be used to compromise cybersecurity, such as photos of office desks, bulletin boards or even the security desk in a building.
To successfully take over a social media account, threat actors don’t need login credentials exclusively - they can use fragments of information collected through data scraping and deploy a botnet to try all the various combinations until they get in, says Edward Roberts, director of strategy (application security) at cybersecurity company Imperva. He notes that this is because bad bots are much faster than humans at repetitive tasks, hence 40.8% of all internet traffic last year was not human at all.
Citing Imperva Research Labs research , Roberts says 2021 is forecast so see a repeat of 2020’s 220% year-on-year growth in data leakage incidents, largely resulting from automated threats similar to the LinkedIn data scrape enabling increased incidences of account takeover and credential stuffing attacks.