700 million people published on LinkedIn Data Scrape — What to Do Now

700 million people published on LinkedIn Data Scrape — What to Do Now

Data scraped from the LinkedIn profiles of nearly 700 million people, or more than 90% of LinkedIn's total membership, is being offered for sale on the online cybercrime marketplace.

The data includes full name, work email address, date of birth, work address, cell phone number, Facebook and Twitter IDs and links, job title, local location, and in some cases specific GPS coordinates, all of which appear to be publicly accessible from LinkedIn profile pages accessible to the public from their LinkedIn profile page.

Those who provide all this information on their LinkedIn page may receive more spam, become targets of phishing attempts, and possibly increase their risk of identity theft.

More significantly, many of the entries contain very specific GPS coordinates, which could reveal where LinkedIn users live.

The solution, as always, is to give LinkedIn as little information about yourself as possible, and to prevent LinkedIn apps, or any social media apps, from accessing your phone's GPS data.

Providing the minimum information necessary to maintain a LinkedIn account, or indeed any social media account, will avoid getting caught in the next data scraping.

Also, be sure to go into your phone settings and deny social media apps access to your GPS coordinates.

In Android, go to Settings > Apps and Notifications > App Permissions > Location to determine which apps will always, only occasionally, or never access your location. Location Services" to do the same.

However, quite a few entries contained specific geographic coordinates, certainly more than provided an email address or phone number.

These users were using LinkedIn's mobile app and may not have known that the app may have acquired GPS data at that moment and uploaded it to LinkedIn's servers.

The geographic coordinates were fairly easy to convert to locations on the map by copying and pasting the coordinates into Google. We found locations in New York and Brazil, on roadsides in rural France, and in various cities in India.

More alarmingly, we found coordinates zeroed in on specific addresses in a suburb of Boston and a small town in Wisconsin. Google Street View identified individual homes and displayed their complete addresses. Each of these listings was given a name.

This is pretty serious. This means that you or I could have driven to these homes, knocked on the doors, and asked for the names of the occupants.

If someone whose home address could be identified with this data also happened to provide a date of birth and the required full name, an identity thief might try to use these three pieces of information to open an account in that person's name fraudulently.

Tom's Guide looked at the smallest sample of scraped LinkedIn data, the only sample size that did not require registration with a dubious website.

We found that while all 443 entries provided in the sample included the LinkedIn user's full name and LinkedIn ID, URL, and username, most users voluntarily provided nothing more than a general geographic location, i.e., country, city, state We found that none of them.

Most users only told LinkedIn the bare minimum necessary to maintain their account. Only about 7.5% of users in our data sample included their work email address.

Personal email addresses were not asked. Very few people provided a cell phone number, and only one was found in the first 100 cases.

This incident comes just a few months after another incident in which data collected from 500 million user profiles on LinkedIn was posted.

"We cannot confirm whether the records are cumulative of data from previous breaches or public profiles, or whether the information is from private accounts," said Privacy Shark, the website that analyzed the new data samples

"We are not able to verify whether the data is from a private account.

"Given that there are 200 million new records available, it is likely that new data was scraped."

The person selling the data is named TomLiner, who posted the sales notice on the publicly available Raid Forums website on June 22. He or she offers samples of various sizes, ranging from one million records to just a few hundred records.

Another website that analyzed the sample, Restore Privacy, told us that TomLiner used LinkedIn's proprietary API, or application program interface, a tool that allows computers to quickly interface with a website's server to scrape the data, he stated.

LinkedIn's own website declares that it has 756 million users. If this stolen data really corresponds to 700 million users, it represents about 92.5% of LinkedIn's total users. If you have a LinkedIn account, your data is probably part of this.

In other words, this is not strictly a data breach, just as the scraping of 500 million LinkedIn profiles a few months ago did not involve hacking.

Then, as now, LinkedIn disclaimed liability in a statement to Privacy Sharks, saying, "This was not a LinkedIn data breach, and our investigation has determined that no data of individual LinkedIn members was compromised."

Nor is it as bad as the 2012 LinkedIn data breach that exposed the personal information of some 117 million LinkedIn users, including personal email addresses and unencrypted passwords. Even Facebook founder Mark Zuckerberg had his email address and password leaked in that incident.

Still, it will be small comfort to those who trusted LinkedIn's data protection. As privacy expert Melanie Ensign noted in a recent opinion piece in Tom's Guide, "The information that companies force users to share in their public profiles can do a lot of harm."

"Whether the data is stolen, leaked, or scraped, the result for consumers is the same," Ensign added. Their privacy has been violated by a company they thought they could trust."

.

Categories