A LinkedIn breach could have unveiled the personal data of 93% of its user base, or around 700 million accounts.
RestorePrivacy says that the data has already been put up for sale online. After contacting the seller, the group found that everything from full names and email addresses to a person’s salary and geolocation records were part of the package.
LinkedIn has a pretty buttoned-up reputation, but it’s not leakproof. It’s already been through two breaches so far this year -- including a massive hack in which data on 500 million LinkedIn users was scraped from the site and sold online.
What was stolen
As part of its communication with the seller, a sample of what was stolen was shared with RestorePrivacy. It included the following:
Email Addresses
Full names
Phone numbers
Physical addresses
Geolocation records
LinkedIn username and profile URL
Personal and professional experience/background
Genders
Other social media accounts and usernames
RestorePrivacy confirmed that the personal data is both up to date and authentic. LinkedIn users can breathe a small sigh of relief because login credentials and financial data did not appear to be a part of the breach. However, there’s still a lot to be concerned about.
“There is still a treasure trove of information for bad actors to exploit for financial gain,” RestorePrivacy’s Sven Taylor said. “While this latest LinkedIn leak did not contain any financial records or login credentials, there are still serious consequences.”
Taylor said those repercussions put 700+ million people at risk of identity theft, phishing attempts, social engineering attacks, and hacked accounts.
LinkedIn validates the breach
In a statement posted on its website, LinkedIn confirmed the breach but couched it in a much softer way than RestorePrivacy.
“We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies. It does include publicly viewable member profile data that appears to have been scraped from LinkedIn,” the platform said. “This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.”
LinkedIn went on to say that scraping violates its terms of service and that it will be working to stop anyone who does it and hold them accountable.
"For consumers, the leak is a reminder of the fragility of networks like LinkedIn's where mass amounts of identifiable data can, seemingly, be easily scraped and shared online,” Madeleine Hodson, senior writer at PrivacySharks, told ConsumerAffairs. “The overall impact of the breach may ultimately reduce users' confidence in these platforms where they are required to share a lot of personal details."
How secure are your passwords and data?
If you haven’t taken a hard look at how your personal data is being protected, this latest breach may provide the motivation to finally do it. ConsumerAffairs has prepared an extensive guide that includes information on steps you can take and security companies that can lock down your personal data.
Exposed passwords are a key target for hackers, but as one study recently found, most people never know their passwords were ever compromised. If you’re curious about how long it would take for a hacker’s software to figure out your password, you might be surprised.
ConsumerAffairs found an interesting widget -- Security.org’s password strength checker -- that will play out that scenario. You might find it interesting to see if your password could be hacked in a matter of seconds or, if you’re lucky, billions of years.