The data leak on LinkedIn has been a hot topic this week, especially for those who use the platform for their professional networking. It has been reported that this was a significant data leak, affecting approximately 500 to 700 million LinkedIn user accounts. This is an alarming number and should be taken seriously, as it can have severe implications for both the company and its customers. The hackers gained access to names, emails, phone numbers, and other personal information — everything you would want to know about a person if you are trying to commit fraud or identity theft against them.
In June 2021, a hacker by the username “TomLiner” advertised for sale, on a darknet forum, information of 700 million LinkedIn users – that’s estimated to be around 90% of its total users! The data is now being sold for $5,000. If validated, this would be the largest LinkedIn data leak to date. The same seller was also behind the 500 million LinkedIn records advertised for sale last April 2021. Later, a sample of 1 million users was published on the dark web, verified legitimate, and confirmed to be tied to real LinkedIn users. The data seems it was up-to-date with samples taken from 2020 to 2021.
How did it happen?
Recently, LinkedIn’s API (Application Programming Interface) was misused by a third party to gain access to the personal data of millions of users. The misuse of this API opens up potential security risks for many people and companies who use LinkedIn as their primary platform for business connections. LinkedIn said it had taken steps to remedy the situation. In this latest data leak, LinkedIn claims that this was a case of data scraping and data aggregation from different sources and not a data breach. They claim that no private LinkedIn member data was exposed; rather, this data leak was an aggregation of data from several websites and companies, as well as publicly viewable member profile data.
What was exposed?
In the published sample of 1 million entries, it contained email addresses, full names, phone numbers, physical addresses, geo-location records, LinkedIn user profile, personal and professional background, gender, and other social media account usernames. The data being sold exposed no passwords or credit card details.
In any case, users are advised that there will be a risk of increased social engineering attempts. LinkedIn contact details were leaked, and this data can be used in phishing and identity theft attacks. This can happen, especially if people having LinkedIn accounts also have accounts on other platforms such as Facebook and Twitter, where they share information about themselves. Hackers can use this to create fake LinkedIn accounts or log in to other accounts.
What happens next?
Due to the sheer nature of the data leak, LinkedIn users need to be on high alert for email scams, such as phishing scams that could look the same as LinkedIn emails. Users should also change passwords immediately if there is any sign of potential account compromise.
LinkedIn may already be aware of suspicious accounts that have or are trying to use the leaked data. As such, LinkedIn advises people to monitor their LinkedIn email addresses for any suspicious activity. They also notified law enforcers about this leak and are willing to cooperate with them in investigating the situation further. LinkedIn itself did not mention on how or why the leak occurred.
Companies who use LinkedIn for business networking need to start strategizing on dealing with LinkedIn data leak fallout. LinkedIn users include a large number of people in every position and in every company. Companies need to be mindful of how this affects their daily business operations.
LinkedIn itself may also face some consequences due to this leak. Besides scrutiny from different groups, LinkedIn will likely see a decrease in new account sign-ups in the future.
What can Companies do about it?
LinkedIn is a widely used platform and companies should start alerting their employees of the data leak. Companies should also advise their employees to review and update their LinkedIn passwords and possibly other online accounts that share the same password. Further, companies should help educate employees on data hygiene and data privacy practices to protect themselves from future data breaches.
In addition to awareness, companies should deploy stricter spam controls and train their employees to spot social engineering and phishing campaigns. This is where information security awareness tools come in handy – tools such as PhishingQuiz with Google (https://phishingquiz.withgoogle.com) are an excellent example of this. More comprehensive training solutions like KnowBe4, which offers information security awareness training, can help educate the employees by increasing their knowledge on how hackers steal data from the workplace.
Lastly, and needless to say, companies should refrain from supporting sellers of stolen data and should avoid purchasing it.
What can regular LinkedIn users do about it?
LinkedIn users need to be on high alert for any suspicious online activity. If you have a LinkedIn account, make sure that it is protected with a strong password and having your two-factor authentication (2FA) activated for enhanced account security. This holds true not only for LinkedIn but for other online accounts as well. In addition, you should also be careful when installing browser extensions or any unchecked applications on your computer.
Check whether your email address or phone number has been compromised. Websites such as Have I Been Pwned are a great place to start (https://haveibeenpwned.com/). Be vigilant and try to reduce the damage that it can do to your online accounts. Think twice before you upload or share your information online and always assume that it may be exposed publicly.
ABOUT THE AUTHORS
Nicko has more than 6 years of combined Vulnerability Assessment and Penetration Testing (VAPT), information security audit, and security implementation experience. Before joining Scrubbed, he was part of the grassroots team that started the cybersecurity practice in one of the big four auditing firms in the Philippines.
John has more than 9 years of work experience with core competencies ranging from conducting financial due diligence reviews for acquisition and divestiture transactions, completion audit, strategy work, and assurance service lines. His industry experience covers power and energy, oil and gas, retail and consumer, manufacturing, telecommunications, real estate & property, food and beverage, banking and financial services, among others.
Chester has more than five years of relevant experience in accounting and audit. He started his career as an auditor in SGV & Co. (EY Philippines) and handled clients mainly in the construction, manufacturing and real estate industries. In May 2019, he joined Scrubbed handling clients in real estate and hospitality industries. His expertise includes monthly closing process and consolidation.