LinkedIn's Data 'Scraped' Not 'Breached': Cyber Security Expert
The data, reportedly obtained by an unknown hacker, is said to consist of personal details of LinkedIn users.
The Quint DAILY
For impactful stories you just can’t miss
Data from 700 million LinkedIn users have been scraped and put up for sale on a dark web forum.
The scraped data allegedly includes physical addresses, geolocation records as well as salaries of the users.
At the outset of 2021, we witnessed two separate incidents of 'data breach' at LinkedIn, but the company has denied all the claims.
However, several media reports have called this scraped data as a potential 'data breach'. The Quint spoke to Sourajeet Majumder, a cyber security expert to understand whether it is fair to call it a data breach.
On 27 June, a report by RestorePrivacy revealed that, a user advertised data from 700 Million LinkedIn users for sale on a hacker forum.
The user of the forum posted a sample of the data that includes information of 1 million LinkedIn users.
The Quint examined the dataset and found it to contain the following information:
LinkedIn username and profile URL
Personal and professional experience/background
Other social media accounts and usernames
Data Breach Vs Data Scraping
A data breach is defined as an incident that involves an unauthorised or illegal access to private data by an individual, application or service.
It is a type of security breach specifically designed to steal and/or publish private or sensitive data which in general is not accessible by all. The information mostly includes financial records, passwords, KYC documents and health information.
Meanwhile, data scraping is where a software or script is able to download public information from a website, like member information or even just the content. "It is like an automated browser that downloads information which are publicly available. Public data can include names, phone numbers, emails, user IDs, location and linked social accounts which in general is accessible by all," explains Majumder.
'Unfair to Call Data Breach'
Looking at the sample data shared by the threat actor, it is very prominent that the data set only includes data which is publicly available on LinkedIn profile. For instance, name, last name, LinkedIn profile URL, email addresses, and phone numbers, which is accessible by all.
"Calling the set of LinkedIn data that has been posted for sale as a data breach explicitly, is not ideal and spreads disinformation and adds to user's anxiety"Sourajeet Majumder, Cyber Security Researcher
Meanwhile, LinkedIn has said it did not face a data breach.
In a statement Linked said, "While we're still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members' privacy is protected."
Should You be Concerned ?
Even though a data scrape is less severe than a data breach, a data scrape may be exploited by hackers.
There are multiple things that a malicious actor can do with a set of scraped data, explains Majumder:
Phishing : Armed with public information including names, employer information and network contacts, hackers can craft convincing phishing campaigns.
Spam Advertisements : Many telemarketing companies often buy such datasets to run targeted advertisements to advertise their products to users and trick them into purchasing their service.
Can You Stop Your Data from Being Scraped ?
Majumder believes that it is very important to understand that any information that is available on public domain is always at the risk of being scraped.
However, if an individual is not comfortable with their data getting scraped or used in ways they might not expect, they can protect it by simply :
Not putting their data out in public at all.
Protect it by using privacy controls (if they’re available). For example : Locked social media accounts.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)
Read and Breaking News at the Quint, browse for more from tech-and-auto
Topics: linkedin Data Privacy LinkedIn users
Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.