Less than a week after personal information from a half-billion scraped Facebook profiles were leaked to the digital underworld, the world’s largest professional network seems to have suffered a similar fate. It would appear that, like Facebook, approximately 500 million scraped LinkedIn profiles are now being sold on the dark web to the highest bidder.
This story was originally broken earlier this week by Cyber News, whose staff discovered the huge, illicit cache in the course of online research. LinkedIn has denied that its systems were breached.
The data, which is reportedly being sold on a popular underground forum, is said to include LinkedIn IDs, full names, phone numbers, email addresses, and genders, as well as links to the profiles and other associated social media profiles. It does not appear to include account credentials or financial information.
The hacker is asking for a “four-digit $$$$ minimum price” for all of the data, but is charging other criminals $2 in forum credits to access leaked samples—as a way to legitimate the stash, Cyber News reports. The outlet noted that “it’s unclear whether the threat actor is selling up-to-date LinkedIn profiles, or if the data has been taken or aggregated from a previous breach suffered by LinkedIn or other companies.”
When reached by email, LinkedIn confirmed it was looking into the matter: “While we’re still investigating this issue, the posted dataset appears to include publicly viewable information that was scraped from LinkedIn combined with data aggregated from other websites or companies,” a company spokesperson told Gizmodo on Wednesday. “Scraping our members’ data from LinkedIn violates our terms of service and we are constantly working to protect our members and their data.”
On Thursday, the company released a public statement about the incident, further clarifying that the data was an “aggregation” of data that had been scraped from the site, as well as from other websites:
We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies. It does include publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.
If the alleged leak hasn’t so far spurred the interest of U.S. officials, other countries appear to be taking interest in it.
On Thursday, the Italian Data Protection Authority, the nation’s privacy watchdog, announced that it would begin looking into the matter. It released the following statement [as translated from Italian to English via Google]:
“The Guarantor for the protection of personal data has launched an investigation against Linkedin following the violation of the social network systems which led to the dissemination of user data...these data could be used for a series of illegal conduct, ranging from unwanted calls and messages to serious threats such as online scams or identity theft or phenomena such as the so-called “SIM swapping,” a technique used to violate certain types of online services that use the mobile number as an authentication system.”
The incident is also apparently being investigated in Hong Kong, where the local government’s Office of the Privacy Commissioner for Personal Data (PCPD) was recently tipped off about the leak: “The PCPD has taken immediate actions and contacted LinkedIn. In its initial response, LinkedIn indicated that it is investigating the matter. The PCPD has also issued a letter of enquiry to LinkedIn to seek clarifications,” a spokesperson for the agency said in an email.
It’s not exactly clear what those clarifications are, though the fact that multiple governments are concerned about this would seem to lend credence to the legitimacy of the leak.
While the leak involving LinkedIn isn’t the deeply personal stuff of data breach nightmare (i.e., Social Security numbers, financial information, and the like) it could still very easily be captured and utilized by bad actors for nefarious purposes. To check whether your information has been compromised, you can use the Cyber News “data leak checker” tool, which they recently updated to include some data culled from the leak.