Earlier this week, Facebook was involved in a massive data breach that compromised the personal data of 533 million users. Now, there is news of another huge data leak involving LinkedIn with 500 million users’ data being compromised, according to reports.
Information that has been leaked includes full names, email addresses, phone numbers, genders, links to LinkedIn profiles, links to other social media profiles, professional titles, and other work-related data. The report further added that it is not clear whether the threat actor is selling the updated LinkedIn profiles or whether the data has been aggregated from the previous breach suffered by LinkedIn.
“Members trust LinkedIn with their data, and we take action to protect that trust,” said a LinkedIn representative in a statement. “We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies. It does include publicly viewable member profile data that appears to have been scraped from LinkedIn.
“This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review. Any misuse of our members’ data, such as scraping, violates LinkedIn terms of service. When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.”
In response to the recent breach, George Papamargaritis, MSS Director, Obrela Security Industries says: “In the last week we have witnessed two of the world’s leading social platforms suffer data disclosures as a result of website scraping. Both incidents highlight the lengths and time cyber criminals will put into building profiles on internet users to carry out attacks or sell their data.
“LinkedIn is still investigating the breach but it will be interesting to see how it responds to the incident and whether it believes users that have been impacted need to be informed. Anyone who has been impacted by this latest incident should be extra vigilant for phishing attempts, where cybercriminals will use the information obtained to make their scams look genuine. While no financial information was stolen, cybercriminals could use the information to tailor phishing scams to make them feel more authentic, which will provide them with an avenue to monetise on the data.”
Preventing website scraping
While social media companies do have tools in place that aim to prevent scraping on their platforms, it still remains an issue for many organisations. Threat Intelligence Analyst at Talion, Lewis Jones adds: “Completely preventing website scraping can be difficult, Facebook has found this and had to make significant changes to how its platform worked to minimise this.
“Ultimately, it becomes a balance between how much information you want to make publicly available and locking down your website. The simplest way to prevent a website from being scraped is to block multiple requests from the same IP address. Other methods like requesting login credentials for access, using CAPTCHAs, and changing the website’s HTML settings regularly can also be effective.”
Niamh Muldoon, Global Data Protection Officer at OneLogin suggests the argument that all of this information is in the public domain, so is it technically an unauthorised disclosure, incident or breach. Muldoon continues: “On the other hand, the consent to use this contact information is clearly where the privacy is breached, as these impacted individuals will not have given permission for their data to be shared and/or used for the various sales or marketing activities and worryingly, for dark web activities such as social engineering and phishing.
“Trust and Security brand leaders will always be fully transparent as to the use of contact information, including consent, and take proactive measures to protect their end-users and customers contact data. It is their responsibility to do so in order to prevent cybersecurity risks such as phishing and/or other social engineering threats.”
Sam Curry, Chief Security Officer, Cybereason says: “The challenges of protecting data are growing exponentially because the problem is one of rates. The attackers are improving their proficiency at a faster rate than defenders, and what you are seeing now is the result of that being true for a while. We must find a way to leap ahead in defence and to change the rates or this will become a major drag on the tech engine for our economy.”
“While it initially appears that no sensitive information, such as financial data, has been obtained, LinkedIn IDs, full names, email addresses, phone numbers does appear to have been collected by the attackers. My advice for users who may be affected is to change your password to a strong password, enable two factor authentications, be wary of unexpected connection requests, be wary of Phishing emails/messages and finally ensure you keep anti-virus software up to date.”