On June 22nd, a person that goes by online username TomLiner stated that he was in possession of the data of 700 million LinkedIn users. This post was put up by TomLiner on a popular hacker forum RaidForums, which included the data of 1 million users as a sample for proof. This news comes only 2 months after the data of 500 million users was put up for sale on another hacker forum after a data-scrapping incident. LinkedIn is another major organization to fell to such a data breach after the likes of Electronic Arts and Volkswagen, in recent months.
LinkedIn data leak: what we know so far
The news of the latest leak was first disclosed by analysts from Privacy Sharks, who also analysed the “free sample” provided by TomLiner. In their article, they confirmed that the sample records include full names, gender, physical and email addresses, geolocation records, phone numbers, and also industry information. Over the years LinkedIn has grown into a major platform for professionals in any field or profession. Following the first data breach in April, this one is now considered the largest data breach that LinkedIn has faced. The platform’s total user base consists of 756 million people, meaning 92% of LinkedIn users have been affected by the latest leak.
What is the LinkedIn data that was leaked?
As per a statement by LinkedIn, the April data breach consisted of an “aggregation of data from a number of websites and companies, as well as publicly viewable member profile data”. However, they also claim that there was technically no breach as such since no private information was stolen.
A blog article from RestorePrivacy claims that they conducted an analysis of the latest leaked data and cross-referenced them with other publicly available information. They have ascertained that the data from the sample records are authentic, meaning all the information is tied to real LinkedIn users. The sample includes records from 2020 and 2021 as well, meaning that the leaked data is up to date. The article goes on to say that, even though they did not find information like login credentials and financial data, the available information is enough for bad actors to exploit.
RestorePrivacy even managed to reach out to the seller directly regarding the data. TomLiner claims that the data was obtained by exploiting the LinkedIn application programming interface (API) to harvest information that people upload to the site. However, LinkedIn have stated that, not all the information could have come from their API and is likely to be obtained from other sources as well.
What this means for LinkedIn users
As mentioned before, considering that the leak does consist of 700 million LinkedIn Users’ data, this makes up 92% of the platform’s user base. The leaked information does pose a threat to the affected users if it reaches the wrong hands. Affected users may be subject to spam email campaigns, potential scams, or even identity theft. Even though a lot of critical information is not a part of this data leak, doesn’t mean they cannot be accessed through the information available.
“Members trust LinkedIn with their data, and we take action to protect that trust. Any misuse of our members’ data, such as scraping, violates LinkedIn terms of service. When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.”
via the LinkedIn Statement on April 8th.
Even though LinkedIn claims that no “private data” was leaked, it is unclear as to what exactly they mean by that specific term. They have also suggested that both the April leak and the latest one are not “technically” data breaches. The language of their statement can be a little confusing considering that they also haven’t denied that data was not harvested from their servers. Even though the leaks cannot be considered a ‘data breach’ in the traditional sense, the leaked information is still a gold mine of information for threat actors.
This leads us to the question- how much privacy should users expect from social networking sites like LinkedIn?