LinkedIn Leaks 93% of Users’ Data—Refuses Blame for Breach
LinkedIn is fighting a crescendo of criticism over a huge data breach, which is being sold by criminals. The firm’s PR people claim it’s not, in fact, a breach—nothing to see here, move along.
When is a breach not a “breach”? When the data came from scraping the site, apparently—just like the previous huge breach in April. The Microsoft-owned PR team hopes we’ll ignore the fact that LinkedIn should have detected the scraping and shut it down.
Instead, countless users get to suffer yet more spam, phishing, ID theft, stalking, doxxing and other nasties. LinkedIn doesn’t care. In today’s SB Blogwatch, we’ve had it with this sociopathic company.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Precious.
MSFT PR FAIL
What’s the craic? Madeleine Hodson breathlessly claims an “Exclusive: 700 Million LinkedIn Records For Sale on Hacker Forum”:
Identity theft”
Things are not looking good for LinkedIn. … Just two months after a jaw-dropping 500 million profiles … were put up for sale on a popular hacker forum, a new posting with 700 million LinkedIn records has appeared.
…
[We] have viewed the sample and can confirm that the damning records include information such as full names, gender, email addresses, phone numbers, and industry information. … It seems as though the records are, once again, a cumulation of data from previous leaks. However, this could still include information from both public and private profiles.
…
The leaked information poses a threat to affected LinkedIn users. … Individuals could become the target of spam campaigns, or worse still, victims of identity theft. … Using email addresses provided in the records, hackers may attempt to access users’ accounts using various combinations of common password characters.
And Paul Wagenseil adds detail—“Collected data makes it easier for spammers, phishers and stalkers”:
Your data is probably part”
The data includes full names, workplace email addresses, dates of birth, workplace addresses, mobile phone numbers, Facebook and Twitter … links, job title, regional location and, in some cases, specific GPS coordinates. … Anyone who provided who provided all that information on their LinkedIn page is likely to get more spam [and] phishing.
…
Specific GPS coordinates … could be useful to stalkers and burglars. … It may be that those users … were not aware that the app could have grabbed their GPS data … and uploaded it to LinkedIn. … We found coordinates that zeroed in on specific addresses.
…
That’s pretty serious. It means you or I could drive to those houses, pound on the doors and ask for the residents by name. [If they] also happened to provide their date of birth along with the required full name, then an identity thief could … fraudulently open accounts in that person’s name.
…
LinkedIn’s own website declares that it has 756 million users. … If you have a LinkedIn account, then your data is probably part of this.
Wow, so almost 93%—doubleyou tee eff? LinkedIn’s anonymous PR gnomes twist their underpants—“An update on report of scraped data”:
LinkedIn terms of service”
Our teams have investigated a set of alleged LinkedIn data that has been posted for sale. We want to be clear that this is not a data breach.
…
This data was scraped from LinkedIn and other various websites and includes the same data reported earlier this year in our April 2021 scraping update. … Misuse of our members’ data, such as scraping, violates LinkedIn terms of service.
Wait. Pause. What’s the difference? Ben Lovejoy fights back against spin:
Data breach”
Pro tip: If someone is able to scrape hundreds of millions of records from your service without being detected, that is indeed a data breach.
…
It’s like a bank saying, “Actually, no-one broke into the bank and stole the money in your account. We just left it stacked up on the counter and someone picked it up and walked out with it.”
So who’s telling the truth? Abishek_Muthian breaks it down:
Source of breach”
If the attacker is telling the truth, then somehow the attacker has gained access to a privileged API of LinkedIn which gives out more fields than those listed in the official LinkedIn API doc.
If LinkedIn is telling the truth, then the source of breach is most likely one of the many data brokers who have been breached several times in the past.
Meh. bradley13 has a more cynical view:
Pay LinkedIn”
Providing users’ data is what LinkedIn does. All of the data in this “breach” is data that users provided, with the expectation that it would be handed out to anyone interested in it. They should all be happy – now lots more people have their data :-/
This is a Terms-and-Conditions breach: Someone who “forgot” to pay LinkedIn for the privilege of getting the data.
So what happens next? Here’s rvz:
Using phone numbers for login”
Now we will see an increase in SIM swapping attacks … and tons of fraud. … I hope they didn’t use their phone number to login to their bank, crypto exchange or other social media accounts. Using phone numbers for login should be completely discouraged.
Is using LinkedIn worth the risk? Tom doesn’t think so:
Not for me”
I guess for most people who need to use LinkedIn for their career, giving up all the personal info to the company may be worth the risks. But not for me.
Meanwhile, with just the merest hint of sarcasm, SavageBeast reminds us Microsoft owns LinkedIn:
Kinda makes you want to transfer all your cloud ops to Azure doesn’t it?
And Finally:
Today your face became a silhouette
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Gabriel Varaljay (via Unsplash)
