According to Ben Lovejoy, tech journalist for 9to5Mac, a hacker exposed the personal data of around 700 million users. This represents around 92 percent of the platform’s more than 756 million total users.
The data breach was discovered on June 22 when the hacker responsible advertised the sale of the data on a forum on the dark web. The hacker posted a sample of one million records on the dark web. From this sample, the data was confirmed to be genuine and up to date. Some of the personal information the hacker obtained include:
- Email addresses
- Full names
- Phone numbers
- Physical addresses
- Geolocation records
- LinkedIn usernames and profile URLs
- Personal and professional experience and background
- Connected social media accounts and usernames
- Inferred salaries
The hacker was not able to obtain the LinkedIn passwords of the users nor any financial records. But the above-mentioned data is still valuable as it exposes LinkedIn users to a higher risk of exploitation by bad actors.
The stolen data can be used for identity theft and to create full detailed profiles of their potential victims for convincing-looking phishing attempts or even for social engineering attacks.
Bad actors can also use the available data, particularly the usernames, emails and other personal information, to hack and gain access to other accounts. Once these bad actors get access to a person’s private data, there’s no getting it back.
The first breach of LinkedIn data occurred in early April, and the data of around 500 million users was scraped from the site. The company said the breach also scraped information from other websites. (Related: Massive data breach leads to leak of 533 million Facebook user accounts, but Facebook won’t even alert its own users.)
Hacker acquired data through LinkedIn’s API
Restore Privacy journalist Sven Taylor was able to interview the hacker responsible for the data breach. The latter claims the data was obtained by exploiting LinkedIn’s API, or application programming interface.
An API is a set of functions that allow developers to easily interact with applications and websites. If a developer wants to make changes to LinkedIn, an API can help him process the changes and input them in the appropriate areas. This saves developers a lot of time and reduces the amount of code they need to create.
During a short interaction on the messaging service Telegram, Taylor explained that the hacker demanded $5,000 for the complete data set that showed how he was able to obtain the data through the LinkedIn API.
But in an email with a LinkedIn spokesperson, the company said not all of the data could have been acquired through the LinkedIn API. Instead, the company believes at least some of the data was likely obtained by scraping public information available on other platforms.
In a statement, the company said:
“Our teams have investigated a set of alleged LinkedIn data that has been posted for sale. We want to be clear that this is not a data breach and no private LinkedIn member data was exposed. Our initial investigation has found that this data was scraped from LinkedIn and other various websites and includes the same data reported earlier this year in our April 2021 scraping update.”
Taylor points out that LinkedIn’s definition of what constitutes “private data” is most likely very subjective. The company’s statement is also not denying that some data was harvested from its servers.
As of press time, all of the data the hacker stole from LinkedIn is still up for sale on the dark web.
Learn more about how hackers can acquire people’s personal data from websites like LinkedIn by reading the latest articles at PrivacyWatch.news.