An unknown user has the information of over 700 million LinkedIn users for sale on the notorious hacker forum RaidForums.
The dataset, consisting of geolocation data, phone numbers, physical addresses and inferred salaries, is reportedly being auctioned off for a 4-digit bitcoin sum.
If you’re feeling a bit of deja vu, don’t worry, it’s not just you. An extremely similar attack happening to LinkedIn just back in April, where the data of 500 million of their users was scraped and posted alone - prompting a governmental probe.
With this in mind, the big question is where this data came from. Was it scraped directly from the current site, or was it from the former breach?
Well, LinkedIn has publicly stated that it’s a mix between the two. Stating that “initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources.”
Regardless of how the data was stolen, RaidForums remains one of the most notorious data marketplaces in the world with documented links to the dark web.
This remains a huge problem for the 700 million people whose details are being sold- and should flash warning bells for businesses.
Why should it? I hear you say. It's overwhelmingly scraped data, not private data. This is data which anyone can access and see online.
The issue here is not this public information being seen. It's about who is seeing and curating it. It is about this data being listed and sold on criminal platforms where hackers and scammers reside as perfect packages for phishing.
Phishing, is an online scam where criminals use email, advertisements, or text messages to impersonate legitimate people or organisations to steal sensitive data.
It's also one of the most common ways in which big security breaches occur.
With a package of scraped data from LinkedIn, the process of phishing your employees is made so much easier. They have the ability to hone in on their email addresses, peppering scams with personal information that heightens their believability and authenticity. Scammers have even reached out to working professionals on LinkedIn, and used fake employment opportunities in order to steal their private data.
These criminals having an email address alone should incite concern, as this allows them to attempt to brute force your employees passwords. A reality which considering the lax password hygiene of many employees puts your company at serious risk.
It was only last month that an Edinburgh mental health clinic had their data exposed because an employee fell prey to an email phishing attack. Events like this happening so close to home should alarm us all.
Especially considering legal consequences for scrapers is a work in progress. While the US Supreme Court has scrapped their 2019 decision to rule LinkedIn scraping legal, they are now hearing out the case in court. Meaning we all have a while to wait until there are established legal ramifications for scraping data from the site.
For now, it's up to companies to protect themselves against the consequences of this scraping when it comes to phishing.
The biggest way this can be done? through education. Investing in teaching your employees about phishing, the risks involved, and how to maintain a security first mindset.
For many professionals it's easy to dismiss the ramifications of scraping. But in the long term seemingly benign incidents like this, can fuel forms of criminal social engineering that threaten the security of your business.
Image Credit: Adobe Stock