The LinkedIn leak: What actually happened? by A. HIRSCHHORN
New articles surfaced last week with the announcement of 700 Million LinkedIn users’ data being for sale on the dark web. The words “data”, “leak”, “breach” as well as other similar terms have been thrown around as well, leaving millions of users wondering “LinkedIn hacked again? Now what?”
I wrote a similar article a few months back, when WhatsApp’s privacy policy update had everyone talking, sending many users running towards alternatives like Telegram or Signal.
What these two topics have in common is that the reader’s attention is immediately drawn to fear. “What will happen with my data? Is this platform still safe for me to use?”
What actually happened?
According to LinkedIn, “this is not a data breach and no private LinkedIn member data was exposed.”
The statement goes on to say that this data was scraped from LinkedIn and other various websites and includes the same data reported earlier this year in their April 2021 scraping update.
In fact, if you are concerned about a data leak or a breach of LinkedIn’s security infrastructure, you are not focusing on the real issue at hand: data scraping.
What is data scraping?
According to Wikipedia, data scraping is a technique where a computer program extracts data from human-readable output coming from another program. It means that this data could also be obtained by a human being, navigating public pages and profiles. For example, name, occupation, employer, email address, things of the sort.
In itself, it doesn’t sound so terrible. Most of us have some part of our profiles publicly visible. LinkedIn IS for networking after all.
The real issue becomes clearer when we start to think about what this represents. For one person, or even a group of people, to start scraping this public data manually would take far too much time to be profitable. A web scraping technique will be used instead, working much more effectively, collecting far more data than a human could, at a much quicker rate.
You now have a hefty amount of data available to a single person or a group of people to use as they please.
On their own, each one of these records only has limited impact. Looking at a database of 700M records, however, it is a different ballgame altogether.
In the context of coordinated and/or automated social engineering, phishing or homographic attacks, this data set would be an invaluable asset.
One could imagine that someone paying for this amount public data will be looking to make their money back, out of your pocket.
Do I need to take action? What can I do?
As I mentioned before, this was public data to begin with. If you feel the need to take action, keep in mind there are only two elements in this scenario that are within your control.
Be aware of what you’ve agreed to.
Surely, this is just a reminder. I mean, we’ve all read the LinkedIn User Agreement and the Privacy Policy….right?
Review your LinkedIn Settings & Privacy choices.
But please keep in mind this doesn’t affect the past, only the future. If your data was in those 700M records, it won’t help you this time, but it could help you in the future.
Be extra vigilant for phishing attacks, especially in these next few weeks.
If someone buys this information, they are highly likely to use it. You may want to play very close attention from any odd messages received in the next few weeks. LinkedIn messages, emails, texts, messages via WhatsApp or other messaging apps, etc.
Perhaps this is a good reminder of how much of our personal info we choose to make readily available. I say choose, because it is indeed a choice. Not always a simple or pleasant one, but we all agreed to the Terms & Conditions, so in theory, we already knew this was possible. Or at least, we should have.
Your best line of defense in cases like these is arming with yourself with common sense and being knowledgeable about what information is publicly accessible, and how this information can be used.
Along with some basic security tips when opening messages from unknown sources:
1. Too good to be true: If you are being offered a deal for a product from a known brand, go to the original company site and check if it’s available there as well.
2. Keep a vigilant eye when looking at web addresses: If some of the letters in the URL look unusual, or the website design looks different, rewrite it, copy + paste it or visit the original company URL in a new tab to compare.
3. Better safe than sorry: If you have any doubts or are simply curious, click/tap on the padlock in your browser’s address bar and inspect the HTTPS certificate.
4. Be wary of actions you are asked to take: if a site is pressing you to act quickly or using FOMO, attackers are likely banking on users letting excitement get the best of their common sense.