Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

LinkedIn Breach Reportedly Exposes Data of 92% of Users, Including Inferred Salaries (9to5mac.com) 47

A second massive LinkedIn breach reportedly exposes the data of 700M users, which is more than 92% of the total 756M users. The database is for sale on the dark web, with records including phone numbers, physical addresses, geolocation data, and inferred salaries. 9to5Mac reports: RestorePrivacy reports that the hacker appears to have misused the official LinkedIn API to download the data, the same method used in a similar breach back in April: "On June 22nd, a user of a popular hacker advertised data from 700 Million LinkedIn users for sale. The user of the forum posted up a sample of the data that includes 1 million LinkedIn users. We examined the sample and found it to contain the following information: Email Addresses; Full names; Phone numbers; Physical addresses; Geolocation records; LinkedIn username and profile URL; Personal and professional experience/background; Genders; and Other social media accounts and usernames."

With the previous breach, LinkedIn did confirm that the 500M records included data obtained from its servers, but claimed that more than one source was used. PrivacyShark notes that the company has issued a similar statement this time: "While we're still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members' privacy is protected."

This discussion has been archived. No new comments can be posted.

LinkedIn Breach Reportedly Exposes Data of 92% of Users, Including Inferred Salaries

Comments Filter:
  • by u19925 ( 613350 ) on Tuesday June 29, 2021 @05:16PM (#61535120)

    " Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members' privacy is protected."...

    So they will be cancelling the hackers account and there is nothing to worry about

  • by awwshit ( 6214476 ) on Tuesday June 29, 2021 @05:19PM (#61535128)

    Isn't this the second or third time? Is there anything really new here that hasn't been dumped already?

    • by dknj ( 441802 )

      advertisers and thieves abhor stale data. gotta keep it current

      -dk

      • They'll figure out that I visited linkedin from the Taco shop, every Wednesday! Better change my pattern or they'll find me.

        • by base3 ( 539820 )

          They'll figure out that I visited linkedin from the Taco shop

          Let's do a quick security check.

        • by rtb61 ( 674572 )

          They will figure out what people to phish et al to attack what company. What position they are, is a more violent attack warranted for criminal purposes due to their position. They have seriously compromised the security of many corporations and many professionals.

          • by DarkOx ( 621550 )

            I am not defending or excusing the hackers in anyway but if disclosing your position on linkedin, even 'privately' to your 'network' places you in danger than your position must have been pretty sensitive. If you have such a sensitive position, you should be exercising some operational security and not broadcasting that fact on social media at the very least. If you are some combination of dumb enough, oblivious enough, vein enough, subject to peer pressure enough to put that info out there on social media

    • Re: (Score:3, Funny)

      the second or third time? No they have never lost access which keeps their data current and thus more valuable.
      • I think they picked my data up on the first hack. I dumped linked in a couple years ago, but that does not stop phishing attempts on me where the phisher makes the title of the email to me my old linked in password, and then the message is an extortion attempt which I should of course pay in btc. Like I would have used anything but a very disposable unique password for any site like linked in. But you would think after that first truly massive data harvest, linked in would have tightened things up, and yet
        • been getting those emails for years, off 2 ancient unused linkedin accounts. I think it is the same data hack package getting sold over and over for years to script kiddies. And always the same original old passwords.
    • Well, if they've dumped my phone number then that will be new, since I didn't give it to them. I also reduced the profile to a min after the MS takeover... not because it was MS per se, but because the game was changed.

      • I'm assuming that they only have information I provided, phone number is not one of those. Who knows, maybe they buy data too and blend it in.

  • The hackers linked in. Target was targeted. [nbcnews.com]

    My next website will be named WeHaveNo.Loot

    • I always figured that 'Driver carries no cash' meant 'Please don't rob me'.

      Where I work all kinds of crazy stuff goes on around our buildings at night. Typical homeless activities, typical scavengers that will take anything outside that is not bolted down, people breaking into storage containers/vehicles/etc, people trying to disable security cameras - they aren't playing handball on the back of the building at night, right up to prying the door open and going in. I hate going in after hours.

      I need a new t

      • by Tablizer ( 95088 )

        If they don't hire a human security guard, they deserve to get wiped clean.

        I need a new t-shirt:
        No Smokes
        No Cash

        Include: "No orifices, no genitals"

  • by nuntius ( 92696 ) on Tuesday June 29, 2021 @05:36PM (#61535186)

    Option 0: Do Nothing. Pretend this data is still secret.

    Option 1: LinkedIn makes their database public.

    Option 2: The US government maintains a public database of name, SSN, DOB, career, AGI, addresses, family tree, ...

    Only half joking. I think we need to move past the sick joke of "identity theft", with its "identity theft protection" racket, and invest in a PKI registry for electronic transactions such as financial account management. Prove your identity in person and bind it to a private key. Transactions not signed by a properly issued certificate are not enforceable in court.

    Public release of information would accelerate this process (open secrets lose all credibility for authentication), empower everyone with accurate data on salaries for negotiation (hint: information is presently biased towards large institutions), and possibly even expose tax cheats. There may be some unwanted side effects but we would probably adapt.

    • As long as it's opt-in, it's a reasonable approach. But identity recovery then becomes the problem.

      Is it worse if someone pretends to be you or if you can't prove who you are? The latter case could prove to be more of a problem day-to-day.

    • empower everyone with accurate data on salaries for negotiation

      This is one area where free markets and capitalists diverge. Free markets work best if all price information is open and available. Capitalists work best if they're the only ones with complete price information.

  • 92% this time and just a while ago 500-million-linkedin-users (04/08/2021) [slashdot.org]
    • You know! LinkedIn is doing quite a job disseminating all their employees and users info! Impressive. Are they a Microsoft operation by chance?
      • Yes, LinkedIn is actually part of the Microsoft Mothership. Something about 26 billion USD buyout.
  • I don't use LinkedIn as I haven't seen the need as yet, and early on it seemed Spammy so I didn't bother.

    I'm just wondering if people actually gain meaningful employment from LinkedIn?
    If you do/don't Is it worth having those personal details up there? (Full Name, Phone, email, address).
    I'm sure it isn't that difficult to find information on someone, but having those details all in one place?

    • I got at least one job on LinkedIn. I quit after nine months and went to a new job working with someone I know personally.

      It wasn't problematic or anything, just not a good fit; too boring, getting anything done was bureaucratic pulling teeth.

    • It's useful to get the current email address for someone that you knew and were out of touch with for the usual laziness reasons.

      Also, it's much easier to get fair shakes at a job if someone inside recommends you (in the sense of agreeing you're pleasant to work with and reasonably competent), and LI helps you find that connection.

    • I've had roughly 2 dozen opportunities brought to my attention via LinkedIn in the last half a dozen years or so.

      Half went nowhere beyond a polite "not interested" via their chat feature for positions that were not a good fit for me. I've actually applied for roughly 10 of them, got at least 1 round of interviews for 5 or 6, got to the offer stage for 2, and accepted 1 at the end of last year for my current position. A position with greater autonomy, less stress, and more money. Not to mention no longer n
    • by tomhath ( 637240 )
      All I ever got from a linkedIn account was spam from headhunters. Closed the account years ago, but I'm sure they still consider me a "user"
  • Can't say that I'm surprised that they ALLOWED themselves to be hacked again. What a joke.

  • Folks, ya gotta remember to have a super long password, and the latest Windows update, our someone might find out your Credit card.

    While these Giants give away the better part of a billion users twice - tell me - why the living forskin of holy MOses is anyone on Linkedin. I started to sign up, and they wanted my friggin passwords for email and some other stuff.

    At this point, if you get your professional information given out for free by These clods like Linkedin - you share half the blame.

  • RestorePrivacy reports that the hacker appears to have misused the official LinkedIn API to download the data, the same method used in a similar breach back in April

    But they pinky-swore they would only use it the way LinkedIn said they could! We can't let people get away with such egregious actions! #LinkedInIsInnocent #IgnoreTheManBehindTheCurtain

    • 'Misused the official API'?
      What would warrant open to public, unmetered and apparently non-throttled access to what sounds like complete user data?
      "Bearer-Token: 12345" on some 'private' API perhaps?

  • I'm sure their are legitimate (?) advertising sellers and companies that would pay real money for such a data set. Google, for example, could update and correct their data..
  • by bradley13 ( 1118935 ) on Wednesday June 30, 2021 @01:53AM (#61536234) Homepage

    The someone was indeed able to scrape millions of records, whether using the API or otherwise, that is definitely a security breach

    I'm not seeing how this is a security breach. Providing users' data is what LinkedIn does. All of the data in this "breach" is data that users provided, with the expectation that it would be handed out to anyone interested in it. They should all be happy - now lots more people have there data :-/

    This is a Terms-and-Conditions breach: someone who...forgot...to pay LinkedIn for the privilege of getting the data.

    • by AmiMoJo ( 196126 ) on Wednesday June 30, 2021 @05:54AM (#61536500) Homepage Journal

      You are supposed to have control over who sees your data on LinkedIn.

      Like Facebook they seem to have an API available for developers but it has zero security, it doesn't enforce the normal visibility rules that the website does. Just like Facebook they seem to have thought that vetting API access and setting T&Cs was enough, not considering the possibility that keys could be stolen and developers could lie.

      • by DarkOx ( 621550 )

        I don't use linkedin so I don't know maybe things are better in this regard but facebook changes privacy controls pretty frequently and rules of the road their are pretty complex, like you'd think making a public post private or setting it to only me would leave it invisible but nope, if people have already seen it they can continue to do so for example. Similarly understanding what an 'app' gets access to and what it does not is similarly difficult unless you just assume it gets everything and make your ch

      • by brunes69 ( 86786 )

        First, your point about the Facebook APi is false.

        Second, there is no evidence whatsoever that the records here are anything but public. In fact the analysis is showing that for the most part the data is identical to the data that made the same news rounds back in December for the same reasons.

        If every time a data set is posted on the dark web it becomes a media sensation without any critical analysis on the data, well, things are going to get very interesting, because data sets like this are posted literal

Keep up the good work! But please don't ask me to help.

Working...