Personal data from more than 500 million LinkedIn users has been posted for sale online in yet another incident of threat actors scraping data from public profiles and slinging it online for potential cybercriminal misuse.
Hackers posted an archive containing data they said includes LinkedIn IDs, full names, professional titles, email addresses, phone numbers and other personally identifiable information (PII) on a popular hacker forum, according to a report in CyberNews on Tuesday.
The LinkedIn leak comes on the heels of another substantial leak of personal data from more than 533 million Facebook users last weekend.
The data set also includes links to LinkedIn profiles and other social-media profiles, according to the report. Moreover, to prove the authenticity of the info and provide a teaser of the data inside, the hackers responsible also leaked another 2 million records as a proof-of-concept sample, the report said.
Users on the forum can view the leaked samples for about $2 worth of forum credits. However, the threat actor also appears to be auctioning off the crown jewel of the leak — the 500-million-user database — for at a sum that is at least in the four-digit range, most likely in a Bitcoin equivalent, according to the report.
“As the leaked data contains no payment card details and no passwords, it’s of less value to attackers and won’t sell for much on the Dark Web anyway,” Candid Wuest, Acronis vice president of cyber-protection research, said via email. “However, it does contain valuable personal information (workplace info, email, social account links), which is why it’s not published it for free.”
LinkedIn Confirms Data
LinkedIn officials confirmed that data from the platform was included in the leak and, like Facebook officials before them, said it was not due to a breach of its system but instead was scraped from the LinkedIn site.
“We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies” that includes “publicly viewable member-profile data that appears to have been scraped from LinkedIn,” the company said in a statement on its website, on Thursday.
“This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review,” according to the post.
Scraping is a common tactic used by threat actors to siphon public information from the internet that can then be sold online for profit and reused for malicious activity. Scraped data is often repurposed to create socially engineered phishing attacks, to commit identity theft, brute-force credentials or spam victims’ accounts, among other nefarious activity.
LinkedIn also echoed Facebook’s comments that any misuse of platform members’ data by scraping violates its terms of service, and said the company will be investigating.
“When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable,” according to LinkedIn’s statement.
It’s unclear at this time if LinkedIn will face regulatory troubles due to the leak, which — depending on when it occurred and where users affected reside — could be in violation of the General Data Protection Rule (GDPR). The GDPR is a European Union rule that went into effect in May 2018 that mandates that companies disclose data breaches within a certain period of time or face penalties. Facebook currently faces an investigation by Ireland’s Data Protection Commission (IDPC) over the earlier leak.
CyberNews has posted an online tool so people can check to see if their data was leaked in the most recent LinkedIn incident. If that’s the case, they should be extra-cautious in opening suspicious emails or text messages or links related to messages from senders they don’t recognize.
“It is not uncommon to see such data sets being used to send personalized phishing emails, extort ransom or earn money on the Dark Web – especially now that many hackers target job seekers on LinkedIn with bogus job offers, infecting them with a backdoor trojan,” said Wuest. “For example, such personalized phishing attacks with LinkedIn lures were used by the Golden Chickens group last week.”
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.