Hackers Scraped Data from 500 Million LinkedIn Users -- and Have Posted it For Sale Online

Data from 500 million LinkedIn users has been scraped and is for sale online, according to a report from Cyber News. A LinkedIn spokesperson confirmed to Insider that there is a dataset of public information that was scraped from the platform. From a report: "While we're still investigating this issue, the posted dataset appears to include publicly viewable information that was scraped from LinkedIn combined with data aggregated from other websites or companies," a LinkedIn spokesperson told Insider in a statement. "Scraping our members' data from LinkedIn violates our terms of service and we are constantly working to protect our members and their data." LinkedIn has 740 million users, according to its website, so the reported data scraping of 500 million users means about two-thirds of the platform's user base could be affected. The data includes account IDs, full names, email addresses, phone numbers, workplace information, genders, and links to other social media accounts.

Oh great

[OrangeTide]

Am I going to get even more recruiters contacting me out of the blue? Maybe they'll at least have accurate information on my field of expertise.

Posing as fake recruiters?

[shanen]

Why the meaningless subject? Not a bad angle for FP, though I think the fake recruiters are probably the worst thing about LinkedIn.

But the responses from LinkedIn "support" about the fake-recruiter problem were almost hilarious. And I still don't know how much or what kinds of personal information the fake recruiters were able to harvest.

the subject?

[OrangeTide]

It's a sarcastic exclamatory phrase.

No, the #1 annoyance is LinkedIn Premium trials

[shanen]

So I went over to LinkedIn and got another fake personal invitation for the free trial of LinkedIn Premium service. Came from the same Liza Smyth (if that IS her real name) who sent me the last one. I actually sent a detailed reply of what I would want from LinkedIn before sending money.

Shucks and darned, turned out LinkedIn doesn't even listen. Just for grins, here it is:

If you're going to send me 'personalized' ads, then you should not force me to search for you for the case where I have a personal reply. And I have an extremely personal reply this time around.

Maybe you can call it bad timing or maybe you should look at it as an opportunity to offer an ad that would actually be attractive?

I just had an exchange with LinkedIn "support". I do not have enough information to know for sure, but I suspect that you may have *GASP* imposters here on LinkedIn. Maybe the "support" people on the LinkedIn side already have enough information to assess the danger? Or maybe we could even compare notes, especially regarding the supplemental information from Facebook that might be supporting the scam, so together we could figure out what is going on here? Identity theft? Industrial espionage? Maybe even politically motivated? Various other possibilities, but one obvious answer: LinkedIn could not possibly care less.

Bad way to build a trusting relationship. At this point I think there is ZERO chance LinkedIn will ever get a nickel from me. You don't have a mountain of trust here. You don't even have a molehill of credibility. LinkedIn's reputation is at the bottom of a really deep hole and you just keep digging away.

I can't speak for other people, but I don't think I'm unusual. Maybe a bit more verbal than average? But I can make three constructive suggestions that might justify paying some money to LinkedIn. But given what I think of your reputation... Well, I'll throw 'em out anyway.

(1) Premium membership could included enhanced security. Most obvious would be support for a challenge-and-response protocol to help detect imposters. Old suggestion, but basically a pre-link warning with shared memories going each way. (But right now I can't imagine that anyone working for LinkedIn understands anything significant about computer security.)

Continued in next message because of the stupid and arbitrary character limit.

Can't remember now, but I'm pretty sure the (2) would have been about the financial model. Specifically, I want a recruiting website where the financial incentives are balanced between employees and employers. If most of the money is coming from employers, then of course the website is going to favor the employers and wind up screwing the employees. If too much of the money comes from the employees, then it could go the other way, though I have never detected any trace of a website like that. My theory is that LinkedIn is way over on the employers' side, and the unattractiveness, even ugliness, of the Premium ads is evidence of that.

Re:

[tlhIngan]

Am I going to get even more recruiters contacting me out of the blue? Maybe they'll at least have accurate information on my field of expertise.

I'd be happy if the recruiters would even try. I've had plenty come after me for a position when they reveal is seriously underpaid for even my current position (and I'm getting paid under the average).

I've had one badger me a bit for a while, couldn't seem to figure out that I don't want to make 2/3rds of what I'm getting now.

Re:

[OrangeTide]

A lot of times positions that are well below market value for a region are there to allow a company to sponsor a work visa. They can demonstrate that they didn't have any citizen or permanent resident applying for an "advertised position" and turn around and have the role filled through a foreign contracting service.

It's super shady, but as far as I know nobody has gotten busted for doing it. It's one of those times where they follow the letter of the law but not the spirit. It seems to be pretty common pra

Re:

[Gruntbeetle]

From the fine article at BusinessInsider:

"Paul Prudhomme, an analyst at security intelligence company IntSights, told Insider that the exposed data is significant because bad actors could use it to attack companies through their employees' information."

They're not interested in you specifically, They're looking at you as a spear-fishing tool - that's all.

terms of service

[jm007]

is not a contract, as far as I can tell; any lawyers to chime in?

also, isn't "....constantly working to protect our members and their data.... " just an admission of their failure; do users who sign up have a similar 'terms of use' expectation that LinkedIn failed to deliver?

if you leave the door wide open, complain all you want about bad guys coming in and taking stuff.... but at what point was it LinkedIn's responsibility to safeguard the valuables? from a user's pov, where does the culpability belong?

Re:

[Sique]

No, but the ToS are part of the contract you (or anyone using LinkedIn) have with the company.

Re:

[jm007]

that's my point.... are these scrapers users that have a contract? just visiting a site doesn't constitute a valid contract, no matter what the company desires, unless I hear from a lawyer otherwise

and just visiting a publicly accessible site via API or browser or whatever to gather data seems like a hard sell to make it criminal; now, if to access the data that had to sign a contract and agree to terms 'officially' then yes, that's a different story

so does anyone know more from a legal pov?

Re:

[Sique]

They have, if they have an account with LinkedIn.

Re:

[jm007]

so let me get this straight....

if they have an account with LinkedIn, then they agreed to a ToS

and all the other points brought up.... is that all you have to add?

Me: do you know the way to the supermarket?
Sique: yes, it's how you get to the supermarket
Me: can you give me the directions?
Sique: yes, of course, that's how I get there myself
Me: let's try another tack... do I head north, south, east or west?
Sique: yes, you'll have to leave this spot to get to the supermarket

something to think about

Re:

[CubicleZombie]

also, isn't "....constantly working to protect our members and their data.... " just an admission of their failure;

If you make too many requests to Google's map tile servers, they'll blacklist your IP address for a couple of weeks. Too bad LinkedIn didn't do something similar.

Tip: Don't put your phone number on ANY job board.

Re:

[Richard_at_work]

In 2019, LinkedIn lost a case [uscourts.gov] and were required to not prevent a data scraper, HiQ, from scraping LinkedIn public data. Not really any decent way to allow one scraper and block others without stepping on the injunction in that case...

So blame the courts for this one.

publicly viewable information

[vinn01]

I smell BS. .... "account IDs, full names, email addresses, phone numbers,..." is not publicly viewable information.

Re:

[xwin]

It actually depends on your account settings. You can make most of your account information visible or you can make very little visible. Personally I am not that worried about "hackers" scraping my information. Google does it all the time. If you can search for your name in google and get some results, that is what these "hackers" did. It would be nice to prohibit people from posting my information, but that ship is sailed with the invention of the phone book.

I Don't Understand

[SlashbotAgent]

I don't understand the issue. Isn't the information all viewable by anyone with a free signup?

Why would anyone buy scraped data that's freely available?

Levels of information access in LinkedIn

[shanen]

No, there are definitely different levels of access to the personal information on LinkedIn. The attackers certainly didn't want to take the time to request 500 million links from the targets. Based on my observations, I think the most likely mechanism involved fake recruiters and the wording about "publicly viewable" is a red herring based on including "fake recruiters" as part of the public. LinkedIn is heavily infested with fake recruiters and does not care. (Optimistic view: "... did not care until now.

Re:

[RelicDerelict]

Exactly this. Let's say you signed up with 5 different sites and on every site you disclose just a little. Together with this pieces from all this sites they can make bigger picture, like puzzle. Add digital fingerprints, trackers and all this scumbaggery and unless you are using fake names they have you in database already. It is almost impossible in certain professions to be without social media. What three letter agencies had 20 years ago is nowadays available to every scumbag on this planet. This scumb

Re:

[shanen]

Basically concurrence, but in terms of solutions I think it should involve two principles: (1) My personal information should belong to me, which implies my knowing what it is, where it is, and what is done with it. (2) If anyone is making a profit from selling my personal information, then I should be entitled to a cut. (That could actually be a marketing point.)

Re:

[Voladizo]

Because it's easier than scraping it yourself

Re:

[UnknownSoldier]

> Why would anyone buy scraped data that's freely available?

Convenience.

scraped or hacked?

[superwiz]

Or is scraping "hacking" now?

Re:

[TeknoHog]

Back in the 00s I wrote a script to play an online game, using actual screen scraping with screenshots and image detection. The game was one of these simple reaction games with four light buttons. The winner would get a PS3, and I did get the highest score with my 24/7 gaming script, but I was disqualified, though they never explained why. Of course there were rumours about hacking.

Later I used a similar script for another game on that site, with several small prizes, and my 1337 programming skills nette

500M = 1 Standard Leak

[markana]

Hmm... FB -500M+ leaked. LinkedIn - 500M leaked. I think we should declare 500 million records in a single dump as 1 Standard Leak.

I guess Twitter is up next?

Re:

[phantomfive]

A dump is usually bigger than a leak in my experience. At least, it's more solid and meaningful.

adding phone numbers -No more !

[entropyfoe]

Every time I log into linkedin (or any other site now) they ask if I want to add my phone number for "security" of so I don't get locked out of my account. With their concern for MY security and seeing how they keep things secure.. Hell NO ! No more identifying information to you.

No private data leaked?

[chipperdog]

From TFA: "the posted dataset appears to include publicly viewable information ...", so really no worse than a misbehaving search engine might find? Correct me if I wrong...

Social media

[AlexHilbertRyan]

The shite keeps on giving.

which wouldnt happen to be

[KingBenny]

owned by the same Crotter Inc. with the super-safe exchange systems who will gladly provide you a de-centralized ID in co-op with your local digibetus government official, which will be absolutely safe, non-falsifiable and definitely managed by crotter inc to make sure you cant present yourself as not you while you move between supermarkets. LinkedIn huh? thats about as far from my world as a ticket to mars