Personal data of LinkedIn users’ has been leaked online for sale owing to a massive LinkedIn hack. The hackers had compromised 500 million user data from the company’s database and released it in public for sale. This has been another significant data breach event following the recent Facebook hack where over 500 million user data had been spotted online.
Similar to the social media website Facebook, the LinkedIn hack has revealed various crucial information such as email IDs, profile IDs and other personally identifiable information (PII). The hackers had posted an archive bearing the data they said to have consisted of the LinkedIn IDs, professional titles, full names, phone numbers, email addresses and much more on a renowned hacker forum, a report in a news daily stated.
The hacked data sets of Linkedin had also included the links to the various LinkedIn profiles and the other social media profiles, mentions the report. It also stated that for proving the authenticity of the published data and giving an insight into the data hacked, the hackers had further leaked 2 million data owing to the proof-of-concept sample.
The hacker forum where the cybercriminals had published the information obtained via the LinkedIn hack lets the forum users view the samples against $2 forum credits. Nevertheless, the cybercriminal actors also seem to be auctioning off the gathered data’s crown jewel against a sum that is at the minimum of the four-digit range. The sum is most likely in the Bitcoin (BTC) equivalent, states the report.
“As the leaked data contains no payment card details and no passwords, it’s of less value to attackers and won’t sell for much on the Dark Web anyway,” Candid Wuest, Acronis vice president of cyber-protection research, said via email. “However, it does contain valuable personal information (workplace info, email, social account links), which is why it’s not published for free.”
The LinkedIn officials had confirmed that the platform’s data had been included in the database and said that the data leak was not in relation to a data breach of its system but had been scraped out from the LinkedIn website.
“We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies” that includes “publicly viewable member-profile data that appears to have been scraped from LinkedIn,” the company said in a statement on its website, on Thursday.
“This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review,” according to the post.
The threat actors utilize scraping, a common tactic for siphoning the public information from the internet that they can later sell online to acquire profit. It may also be reused for conducting the malicious activity. However, the scraped data is most often repurposed for creating socially engineered phishing attacks, for committing identity theft, brute-forcing credentials or spam victims’ accounts. These are some amongst the many other nefarious activities.
LinkedIn has also commented the same as Facebook did that any misuse of the members’ data from the platform utilizing scraping techniques violates its terms of service and states that the company will be investigating the matter.
“When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable,” according to LinkedIn’s statement.
Yet, it is unclear if LinkedIn will be facing any regulatory troubles owing to the LinkedIn hack, like a violation of the GDPR or General Data Protection Rule. Based on the same type of incident, Facebook is currently facing an investigation by the IDPC or Ireland’s Data Protection Commission over the past data leak.
CyberNews has posted an online tool enabling LinkedIn users to check if their data had been leaked in the LinkedIn hack. Suppose they find their personal information through the tool. In that case, they need to be extra cautious in opening the suspicious text messages, emails and links concerning the senders that they do not recognize.
“It is not uncommon to see such datasets being used to send personalized phishing emails, extort ransom or earn money on the Dark Web – especially now that many hackers target job seekers on LinkedIn with bogus job offers, infecting them with a backdoor trojan,” said Wuest. “For example, such personalized phishing attacks with LinkedIn lures were used by the Golden Chickens group last week.”
Source: Threat Post
Disclaimer: Read the complete disclaimer here.