LinkedIn said the incident is ‘not a data breach’ but involves publicly viewable data that has been scraped from the platform.
Data scraped from around 500m LinkedIn profiles is said to be part of a database that has been put up for sale on a hacking forum.
Cybernews, which first reported on the incident, said that based on the samples it saw from leaked files, the information includes LinkedIn IDs, full names, email addresses, phone numbers, genders, links to LinkedIn profiles, links to other social media profiles and professional titles and other work-related info.
The publication reported that a hacker is attempting to sell this data for a four-digit sum.
In a statement yesterday (8 April), LinkedIn said it determined that data posted for sale is “actually an aggregation of data from a number of websites and companies”.
“It does include publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.”
LinkedIn’s website says that the Microsoft-owned platform has nearly 740m members. So if 500m users are affected, that would represent more than two-thirds of the company’s userbase.
The report comes just days after news of a Facebook data leak, where information on 533m Facebook users emerged on a hacking forum. This info includes phone numbers, Facebook IDs, names, locations, birthdates and, in some cases, email addresses.
The social media giant confirmed that this information was “scraped from people’s Facebook profiles by malicious actors” using the company’s contact importer tool prior to September 2019.
The leak of phone numbers, in particular, could be concerning as users are unlikely to change these numbers regularly. This data could be used by scammers in phishing and smishing scams, but could also have more serious security implications for people who use mobile phone numbers for two-factor authentication or password resets.
Social media companies have tools in place that aim to prevent scraping on their platforms. In its terms, LinkedIn says it doesn’t permit the use of third-party software including crawlers, bots, browser plug-ins or extensions that scrape activity.
In its update yesterday, LinkedIn said that any misuse of user data, such as scraping, violates the company’s terms of service.
“When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable,” it concluded.