700 million LinkedIn records were listed for sale on a hacking forum on June 22, 2021 by an individual who calls himself GOD User TomLiner. A sample of 1 million records has been made available as proof that the offer is genuine. The sample records include the full names of LinkedIn users, phone numbers, genders, email addresses, and job information.
This is not the first time that a multi-million record batch of LinkedIn user data has been listed for sale. In April this year, a batch of 500 million records was listed for sale, which included data aggregated from other websites and companies. In that case, the records were publicly available and appeared to have been scraped from LinkedIn and other websites. That appear to also be the case with the latest batch of data. LinkedIn has issued a statement saying its systems have not been breached but an investigation is underway.
“This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected,” said LinkedIn.
The listing was identified by researchers at Privacy Sharks. “We cannot be sure whether or not the records are a cumulation of data from previous breaches and public profiles, or whether the information is from private accounts,” explained Privacy Sharks in a recent blog post. “We employ a strict policy of not supporting sellers of stolen data and, therefore, have not purchased the leaked list to verify all of the records.”
Given the size of the dataset, the researchers believe this batch of data includes the 500 million records contained in the previous list, with a further 200 million records subsequently scraped from LinkedIn or other websites.
While there does not appear to be highly sensitive private data such as financial information in the dataset, there is considerable potential for misuse. The dataset includes email addresses and information that could be used to create convincing spear phishing emails. Telephone numbers are also included, so in addition to phishing, the data could be used for vishing (voice phishing) campaigns or a combination of the two. Privacy Sharks researchers also warned of possible brute force attacks using the email addresses to guess weak passwords.
While this does not appear to be a LinkedIn data breach, it would be wise to perform a password update for LinkedIn, enable 2-factor authentication, and to ensure any weak or reused passwords are changed.
Setting a unique and complex password for each account is an important security best practice. To make this manageable, consider using a password manager solution. Password managers, Bitwarden for example, can automatically generate secure, difficult-to-guess passwords, and will store those passwords securely in a vault. Users then only need to remember one complex master password.