700M User LinkedIn Information for Sale on Dark Web
A user on RaidForums shared information that the data of 700 million LinkedIn users are up for sale. The seller, named "GOD User" TomLiner, claims to have collected the records and posted the data on the dark web in late June. The post includes a sampling of 1 million user records as proof of having accessed authentic user information and appears to have been scraped using LinkedIn's own application program interface (API). While the collection of the data is not technically considered a breach, the scrape impacts more than 90% of the LinkedIn member base. This second known occurrence comes only a few months after an earlier incident that saw the posting of data collected from 500 million LinkedIn user profiles.
The shared data includes personally identifiable information (PII) such as full names, personal and work email addresses, dates of birth, workplace addresses, mobile phone numbers, social media IDs and links, job title, regional location and, very specific GPS coordinates.
LinkedIn responded with:
While we're still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach, and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members' privacy is protected.
While the scrape is a gross misuse of the API and a violation of user policy, the information is publicly accessible on LinkedIn profile pages. As a result, it is likely, users who provided detailed information on their profiles will see an influx of spam, be targets of phishing scams and find themselves at greater risk for identity theft. While there is not much users can do retroactively to contain the exploited data, there are steps that can be taken to protect against future attacks.
Ultimate social media privacy is difficult because the platforms are designed for connecting and sharing information. Therefore, participating in any form of social media requires persons to ignore some personal, privacy constraints which result in some vulnerability. To avoid or minimize the inherent risks and impact of future attacks, LinkedIn account users are encouraged to only share the minimally required information to maintain an account. This approach should also be the rule across all social media platforms. Further, as an extra layer of protection, do not give applications permission to access location data from your phone or other devices. It's important to remember that any information that is shared on the internet is no longer under your control and it runs the risk of losing control of who will ultimately be able to see or have access to it. Finally, LinkedIn users are encouraged to change their existing passwords and exercise extra caution with regard to any suspicious emails or activity across their online accounts.