LinkedIn confirmed Thursday that 500 million LinkedIn profiles was put on sale on a hacker forum.
Cybernews first broke the news, reporting that the hacker leaked four files that contained the full names, email addresses, phone numbers and workplace information of the LinkedIn users. LinkedIn released a statement saying that the company investigated the data posted for sale by the threat actor, and while it does include publicly-viewable member profile data that appears to have been scraped from LinkedIn, “this was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.”
Javvad Malik, security awareness advocate at KnowBe4, said LinkedIn has become one of the most impersonated brands when it comes to phishing, and having access to such a treasure trove of information can help facilitate convincing phishing and social engineering attacks.
“The saving grace here, to a degree, is that this all appears to be publicly-accessible information, Malik said. “So, while it may not disclose anything that could not have already been obtained, having all the information in one repository does make it very useful to attackers. Users should always be wary of emails which appear to originate from LinkedIn or other social media networks, and rather than following links, navigate directly to the website to read any messages or to respond to notifications.”
Michael Isbitski, technical evangelist at Salt Security, said all the data leaked are forms of personal indentifiable information, and the exposure of such data certainly results in potential privacy impacts. Isbitski said similar to the recent Facebook leak earlier in the week, the hacker leaked older data. It also appears to have been scraped from other sites in addition to LinkedIn public user profile information.
“On the severity spectrum of leaks, this is relatively lower since much of the data could likely be gathered through traditional reconnaissance techniques like internet searches and querying social media platforms, Isbitski said. "We see many cases of content scraping attacks against organizations where data that’s considered public or limited use suddenly becomes privacy-impacting when it’s pieced together or represents a significant chunk of the total user base.”
Dirk Schrader, global vice president, security research at New Net Technologies, said social media data serves both as the “new oil” for the social media giants and sheer gold for any cybercrime gang trying to use the details for phishing campaigns, CEO fraud, and identity theft, especially since LinkedIn sees itself as a professional network.
“For those LinkedIn users affected by it, the only option is to tighten their security, and for companies to raise security awareness once again,” he said.