Mere days after news broke of a data leak that impacted more than half a billion Facebook users, another massive batch of people’s personal information is being offered for sale on a hacking forum. This time around, the treasure trove of data originates from LinkedIn, although the social networking site says that the records don’t come from a data leak or a breach of its systems.
According to Cybernews, which broke the story, an unidentified individual claims to have scraped information from 500 million LinkedIn accounts, which is no less than two-thirds of the site’s entire user base. The leaked information, which is up for grabs in an auction with a minimum four-digit asking price, allegedly includes a wide range of data.
To boost the veracity of their claims, the hacker posted a sample of some two million records that includes users’ LinkedIn IDs, full names, email addresses, phone numbers, gender, workplace information, and links to their social media profiles among others. Interested parties can view the leaked samples for as little as US$2.
The Microsoft-owned social network, however, disputes that all of the information came solely from them. “This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review,” reads the statement by LinkedIn.
“We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies,” said LinkedIn. However, the site did go on to confirm that the database includes information from publicly viewable member profiles, which may have been scraped from its website.
It remains unclear whether the data that is being offered for sale is up-to-date or was collected from a previous data breach suffered by the professional social network and other companies.
And, as ESET Chief Security Evangelist Tony Anscombe astutely noted, most information obtained from data breaches doesn’t really diminish in value over time, which means sufficiently motivated threat actors could abuse it for all manner of attacks. This includes targeted phishing campaigns and social engineering attacks or the leaked data could even be used to perpetrate identity theft.
To mitigate the chances of falling victim to enterprising cybercriminals, LinkedIn users would do well to double down on their security. Most of all, be wary of unsolicited messages from strangers that contain suspicious links or attachments. If you suspect that your data might be part of the leak, consider changing your password, or better yet use a password manager that will generate a hard-to-crack password for you. Enabling multi-factor authentication, ideally using a hardware token or a mobile app, is also strongly recommended.