LinkedIn Suffers Huge Bot Attack That Steals Members' Personal Data

An anonymous reader quotes a report from SiliconBeat: Data thieves used a massive "botnet" against professional networking site LinkedIn and stole member's personal information, a new lawsuit reveals. "LinkedIn members populate their profiles with a wide range of information concerning their professional lives, including summaries (narratives about themselves), job histories, skills, interests, educational background, professional awards, photographs and other information," said the company's complaint, filed in Northern California U.S. District Court (PDF). "During periods of time since December 2015, and to this day, unknown persons and/or entities employing various automated software programs (often referred to as 'bots') have extracted and copied data from many LinkedIn pages." It is unclear to what extent LinkedIn has been able to stymie the attack. A statement from the firm's legal team suggests one avenue of penetration has been permanently closed, but does not address other means of incursion listed in the lawsuit. "Their actions have violated the trust that LinkedIn members place in the company to protect their information," the complaint said. "LinkedIn will suffer ongoing and irreparable harm to its consumer goodwill and trust, which LinkedIn has worked hard for years to earn and maintain, if the conduct continues." LinkedIn says it has more than 128 million U.S. members and more than 400 million worldwide. According to the complaint, the hackers got around six LinkedIn cybersecurity systems, and also manipulated a cloud-services company that was on the company's "whitelist" of "popular and reputable service providers, search engines and other platforms" which interact with LinkedIn under less severe security measures than other third parties. The manipulation allowed the hackers to send requests to LinkedIn servers. "This was not an attack or data breach where confidential data was stolen," LinkedIn's legal team said in a statement. "This suit is about unknown entities using automated systems to scrape and copy data that members have made available on LinkedIn, violating the law and our Terms of Service."

How is this a breach of terms?

[Anonymous Coward]

Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?

Scraping a website isn't illegal. What, are they making a claim to the data on the website? That's rich.
If companies want to complain that data can't be owned then they can't also complain when people take data from them.

Re:How is this a breach of terms?

[JustAnotherOldGuy]

Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?

Exactly. Page scraping isn't illegal (yet).

If you put stuff out there for the public to consume, expect it to be consumed, just not necessarily in the way you intended.

Re: How is this a breach of terms?

[ArmoredDragon]

Regardless, even before reading this I've been debating deleting my LinkedIn account and only republishing it in the event that I get laid off. The site just strikes me as pointless, and all I get out of it is recruiter spam for jobs that pay about the same as what I'm getting now only in stupidly expensive areas like San Francisco...no thanks.

In fact the only reason I created one to begin with is because the HR people at a place I interned for said it was a good idea to have one, but now I'm not so sure.

Re:

[JustAnotherOldGuy]

I don't have a LinkedIn account and it hasn't hampered me.

Re:

[serviscope_minor]

I'd be interested to hear if anyone here has a counter example. I certainly don't. I don't seem to have every got anything useful out of it.

Re:

[OffTheWallSoccer]

I'd be interested to hear if anyone here has a counter example. I certainly don't. I don't seem to have every got anything useful out of it.

I can give you three examples from my own experience.

1. My LinkedIn connections (former colleagues, mostly) have contacted me to see if my employer is hiring or if I can submit their resume for a job posting. I have helped many folks secure jobs this way.

2. I have also been approached by people in my LinkedIn network, asking if I wanted to come work with them. I have gotten several jobs that way. (When I wasn't even looking for a job.)

3. The reverse of #2 -- When looking for people to join my team, I go

Re:

[Lumpy]

The problem is HR.

I recently landed a gig with a major pay hike by getting the managers of the actual team to want me on their team.

I apply and start the dance with HR.

"how much do you want?"

I want $XXX,XXX as it's compensating for the major cost of living increase and a increase for me as I am moving for you and changing jobs.

"We wont go that high"

well, that is my offer, if you cant meet it, have a nice day.

Two weeks later HR called me back saying they accepted my offer.

Ignore ANYTHING recruiters or HR pe

Re:How is this a breach of terms?

[Ol Olsoc]

Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?

Exactly. Page scraping isn't illegal (yet).

If you put stuff out there for the public to consume, expect it to be consumed, just not necessarily in the way you intended.

Illegal or not, When I was first invited to LinkedIn, I though I'd try it. Went through most of the process, and then they asked for my email password. SRSLY? Ostensibly to mine ny address book for people to invite, but what the hell - they would have my password. So that was about enough of that.

Giving them unfettered access to your email is probably the "other information" named in the summary. And now so do other people. Then again, someont who owuld share that sort of thing probably uses Password1 or some other dumb one.

Re:

[jrumney]

You know you can just skip that step...just like Facebook, Twitter, Whatsapp and a bunch of others that ask for access to your contact list just so they can spam them.

Re:

[Ol Olsoc]

You know you can just skip that step...just like Facebook, Twitter, Whatsapp and a bunch of others that ask for access to your contact list just so they can spam them.

I did. I wouldn't trust anyone who asks me for may email password. That's pretty egregious. So I skipped them altogether.

Re:

[ThatsMyNick]

If your email provider is a public email provider (like gmail), they ask for your other email passwords so they can import contacts too, when you signup. I guess you have to stop using all public email providers, cos they all pull the same shit.

Re:

[Ol Olsoc]

If your email provider is a public email provider (like gmail), they ask for your other email passwords so they can import contacts too, when you signup. I guess you have to stop using all public email providers, cos they all pull the same shit.

They don't get any such thing form me. Its not even like I have anything to hide, but they might.

Re:

[ThatsMyNick]

Of course they dont get any such thing from you. They still ask it, just like linkedin, and provide a skip option just like linkedin.

Re:

[Ol Olsoc]

Of course they dont get any such thing from you. They still ask it, just like linkedin, and provide a skip option just like linkedin.

They get it from a lot of folks though. I'm just saying that is remarkably foolish thing to do. You have an issue with people offering prudent advice?

Re:

[ThatsMyNick]

Nope, I have an issue with people taking issue with linkedin, but not with gmail (when they both do the same thing).

I agree that it is shitty practice, and they should be criticized for it.

Re:

[Anonymous Coward]

You know you can just skip that step.

Sure... problem is, other people don't skip it, and they have your info in their address books. Thus, against your will, they have given it to LinkedIn.

There's no way to keep it out of your hands. You can't in any practical way expect every one of your professional contacts to do the right thing.

Re:

[Reziac]

I have a LinkedIn account, but it doesn't get access to my email. I use it mostly to keep track of professional acquaintances; why would I put personal info there or give it access to my address book?

I expect the main fallout from this targeted scrape (it doesn't sound like an actual data breach) will be a minor uptick in spam. Like that's news...

Re:

[Luthair]

Hey, I don't know what to say my web browser was just pre-fetching the site so I could browse it more quickly.

Re:

[idji]

Yes, it was illegal, because you need to have a Linked-In account to even access the data they downloaded, and it is part of the Terms and Conditions that automated software will not be used to download data. https://www.linkedin.com/legal... [linkedin.com]
the following is not allowed
scrape or copy profiles and information of others through any means (including crawlers, browser plugins and add-ons, and any other technology or manual work);
Collect, use, copy, or transfer any information obtained from LinkedIn without

Re:

[johanw]

And these "terms" are legally binding why exactly?

Re:

[Anonymous Coward]

Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?

Effectively yes.

Scraping a website isn't illegal.

But it is against the Ts & Cs of access.

There's no contract there

[Anonymous Coward]

Whoever scraped it, there's no contract between LinkedIn and them and so no terms of service violation. It's also not illegal to read a website (i.e. "against the law" is bollocks).

This is quite normal, people publish stuff publicly and its scraped by search engines, and they get all pissy, but just as Facebook keeps a large part of its content behind a login, so Linked In can/should.

It's funny, these companies get YOUR data and sell access to a full set of datamining to YOUR data, and then they get all pis

Re:

[michelcolman]

Wasn't there some new law equating website ToS violations to hacking with penalties of 800 years in prison, regardless of whether you ever agreed to them or not? Probably tucked into a law about lead content in diapers?

Re:

[mikeiver1]

Funny this one, isn't it all there for anyone to see if you simply join? Oh my, they didn't join and yet still have access to the data? My O My, what are we to do? (wringing hands in consternation) I have a page but post not a single bit of truth or useful information on it. It is simply a place holder and nothing more. Enjoy that info you pulled from me, it is utterly without worth.

Re:

[eric_harris_76]

Yeah. Is "steal" even the right verb, here? I don't think so.

Let me save you the trouble

[50000BTU_barbecue]

My present employment sucks and the pay is shit.

Re:

[ChunderDownunder]

linkedin is these days mostly social media for millennial recruiters such as those stupid mathematical formula puzzles.

"Oooh, look at lovely cake Bridget baked for Friday morning tea"
"Congratulations to Jeremy and Ivan for finishing second in the badminton at the corporate games"
"top 17 techniques for sprucing up your CV"

Maybe once a year will one of them actually contact me about a role they have. Perhaps if some scrapes and on-sells my data I might get a few more leads!

Re:

[Antique Geekmeister]

"Plus a constant".

See http://www.pleacher.com/mp/mhu... [pleacher.com]

Re:

[ls671]

They never ask tricky questions like that. Some, if not most people will be tempted to answer 0 while for a mathematician, the correct answer is 1. So, from a mathematician perspective, it might be fair to say that 99% of the population can't answer this correctly.

Re:Let me save you the trouble

[ultranova]

Mathematical formulas: "99% of the population can't resolve this. Can you? 1 + 1 x 0 = ?"

They never ask tricky questions like that. Some, if not most people will be tempted to answer 0 while for a mathematician, the correct answer is 1.

I honestly can't tell if you're serious or not. The correct answer is obviously "yes".

Maybe, maybe not.

[dgatwood]

Scrapers are not a violation of the law, per se. Scrapers access material that is made publicly available. Claims that downloading that data are somehow illegal are downright silly, IMO.

As to whether it was a violation of their terms of service or not, that likely depends on whether the bots were logged in and on whether the person logged in was aware that the bots were being used in his/her name. If the bots were not logged in, then it is no different from scraping a website, which is likely not illegal unless you then use that scraped data in a way that would be illegal. If the bots were logged in, then it is a violation of terms of service if the user was aware of the bot activity, or illegal if the user was not.

So where's the real breach?

[wvmarle]

So now someone is accessing LinkedIn on a big scale to access public information on that site. Information that was explicitly made public, and that was placed there for everyone to see.

So how is this a breach or even "theft"? While maybe not entirely ethical or the way it's meant to work, it seems they're accessing nothing but public data.

Re:

[Anonymous Coward]

It pisses off LinkedIn because their business model is to collect and sell that data themselves.

Don't understand the problem

[Anonymous Coward]

I put my information on LinkedIn precisely so other can find it.

Re:

[Reziac]

Exactly. Its function is as a business card kiosk, where you WANT people to take your "card" (info), to remind your fellow professionals that you exist, and maybe let other professionals find you.

If you're using it for personal info, you've misspelled "Facebook".

Re:

[OffTheWallSoccer]

Well said.

WTF did I just read??

[Narcocide]

LinkedIn has worked hard to maintain consumer goodwill and trust? Since fucking when!? Even if you don't register, they populate a profile for you with data from other people searching for your non-existent profile, and then show it to other people without distinguishing you from an actual registered user. Add to that the JavaScript XSS vulnerabilities they've been plagued with since day 1 because they don't hire as well as they help other people hire, and you will probably see why I'm not buying any of this trustworthiness crap.

Sir!

[flopsquad]

Sgt: Sir, we had a data breach!
Gen: Stolen passwords again?
Sgt: Worse! They've downloaded publicly available information!
Gen: Gah! What kind of depraved madmen would do such a thing!?
Sgt: We don't know, but we're suing them.
Gen: Oh. Good then. Carry on.

Doh

[JustAnotherOldGuy]

They should have used stopforumspam or botscout or at least throttled their bandwidth for excessive page requests.

No human reads 50 LinkedIn profiles a minute, FFS. Throttling the bandwidth would have been the simplest solution, something like bw_share [debian-adm...ration.org] would do it.

Re: Doh

[BlckAdder]

Read the filing and you'll see that that's what they do. The bots are circumventing their throttling. They seem to have other countermeasures as well, which are also being circumvented, though none of it looks like a hack. More like well orchestrated abuse of soft limits and behavior-based controls. They allege that the bots are scraping information from the site both anonymously and while logged in. Probably different types of bot.

Re:

[JustAnotherOldGuy]

The bots are circumventing their throttling.

Yes, if they were running through a large list of IPs and taking some simple steps to avoid tracking (constantly clearing cookies, varying the user agent string, etc) they could get away with it.

I've done a few scrape jobs in my time, it's not all that hard. You can slow it down the scraper down little (maybe) but you can't stop it without some kind of ridiculously restrictive controls (the kind that would also hamper real users).

You could probably get this page-scraping job done on Amazon's Mechanical Turk

Um...

[quonsar]

So LinkedIn is suing exactly 100 unknown entities? Doesn't even make sense, except as some sort of PR ploy.

Webscraping

[110010001000]

Webscraping isn't illegal. It might be against the terms of service, but what are you going to do? Revoke their accounts?

Re:

[Luthair]

Probably charge them with hacking because thats how the US government works.

That Steals Members' Personal Data

[frovingslosh]

I call B.S. If it was personal data then you shouldn't have given it to LinkedIn in the first place.

So just like Google then ...

[chuckugly]

I'm pretty sure spidering a website isn't all that new, I'm curious why it's even interesting?

This was far worse than "public" scraping

[radicimo]

I've been on LinkedIn a long time and observed a few botnets in my day that operate through other vectors. This botnet was not just scraping public profiles! Keep in mind that on LinkedIn you can have a public profile and you can have a private profile (only available to your contacts).

I would bet that these bots were LI profiles that passed for people. After all LI bots are unlikely to be so different from Twitter bots. My guess is that this botnet used fake profiles and scraped private data that was only

Re:

[Zontar The Mindless]

There are other websites. Perhaps you should go try reading one of them.

Re:

[Shag]

This is one of my concerns - the possibility that the scraping was done using actual LinkedIn accounts, with connections and thus to some extent contains information that wasn't in public profiles.

My other concern is that even if you're limited to public information, if you have enough of it, you can deduce non-public stuff.

Maybe it's one of the big "profiles based on public records" companies; maybe it's state-sponsored or some kind of non-state actor.

Anyway, from an opsec angle, I felt justified blanking

Re:

[radicimo]

The open question is did they hijack real accounts or only crawl via fake profiles? Would like to know how command & control was handled. Based on my read, this was more than a scrape job and much more programatic.

Trust?

[Luthair]

The suckers who use LinkedIn do so specifically to make this sort of information public so people can find them. They 'trust' LinkedIn to make it publicly available.

"trust"

[Iamthecheese]

That data was up for sale. Only the very least informed trusted it to be private. What Linkedin really lost was the chance to sell out their members, if the information should be publicly leaked.

Are you telling me...

[BenJeremy]

...that somebody viewed the information I let everybody view on a site that is intended to make such information viewable by as many people as possible?

STOP THE PRESSES!!!! NEWSFLASH!!!!

(and this isn't even an EditorDavid story!)

How long does it take to actually die in LinkedIn?

[Anonymous Coward]

I ditched LinkedIn the day after Microsoft bought them. But I've continued to get endless emails from people wanting to connect. I complained about a dozen times, but lately I've just ignored it. What are the odds that my login information -- which I have never been able to get LinkedIn to admit to having deleted -- is still stored in their system somewhere?

Re:

[ThatsMyNick]

Just like most sites, you would probably never die. You would just be marked as deleted, and the deleted flag will propogate to offline backups eventually.

But I've continued to get endless emails from people wanting to connect.

There is a link in those email you can use to stop those notifications. You get these emails even if you are not a member of linkedin, that is just linkedin being linkedin

Re:

[evilviper]

The link in those emails asks you to CREATE an account, so that you can setup email preferences. They had no other way to opt out. I guess Google put their foot down, because now there's an list-unsubscribe@linkedin.com address that gmail uses to opt you out when you flag it as spam.

Re:

[Anonymous Coward]

I've never had LinkedIn and I get tons of requests for people to join my network. LinkedIn just spams anyone, member or not.

Re:

[evilviper]

LinkedIn spams the whole planet, it has nothing to do with you being a former user. Until recently there was NO WAY to opt out of the spam without CREATING an account. However, Gmail figured it out and will generate an email to list-unsubscribe@linkedin.com if you report it as spam.

Re:

[account_deleted]

Comment removed based on user account deletion

It's the Hacker's family I feel sorry for.

[gijoel]

As they're going to be spammed to join linkedin for the rest of their lives.

Who cares ?

[LordHighExecutioner]

All my linkedin profiles are filled up with counterfeited data, just like 99% of other user profiles.

Re:

[OffTheWallSoccer]

All my linkedin profiles are filled up with counterfeited data, just like 99% of other user profiles.

What's the point of having a LinkedIn account (let alone multiple accounts) if you defeat the purpose of letting others find you to see if you are interested in a job?

If you network at all (which is the best way to find a job or find someone to hire), then a site like LinkedIn helps with that.

Re:

[Reziac]

Exactly.

Also, LinkedIn has been rather less annoying than the alternatives. I can actually find people there, should I wish. And apparently they can find me. Nearly all have been people I know -- not getting the who-the-hell?? so common in followers elsewhere.

Google Crawler

[zifn4b]

Next thing you know, Google will be sued for crawling the internet with its automated spider to keep a database of sites you can search for. Some people just don't understand how the internet works. If you put stuff up on a billboard with blinky neon lights, people are going to see it. That's why you don't put your personal info on one.

They can have it

[thundercattt]

LinkedIn has gotten away from what it was meant for. Now it's just someone posting "mind puzzles" or links to "do it your way" posts. Or Recruiters who get your info, with no jobs available and show how big their stable is to potential companies. Job hunted on there for a year, used their premium. Not even a phone call.

Intelligence Collection?

[tmjva]

Of course if data collected was during the course of a country's open source intelligence collection op. It would be perfectly lawful. So who could they sue in such cases? Domestically that would be unlawful. (They would have to defer to a closed source, muaahahahahaaaaa!)

Re:

[93 Escort Wagon]

Congratulations an figuring out how to use whois! You're well on your way to becoming a Linux Ninja!