The 22 June LinkedIn hack exposed 700 of its 756 million users – 92%. The Dark Web database is current and available for sale. LinkedIn confirms the breach, but there is more than a bit of confusion over the cause.
A sample of one million records for sale shows it contains:
LinkedIn username and profile URL
Personal and professional experience/background
Other social media accounts and usernames
It does not appear to have passwords, date-of-birth or financial data. Cybersecurity experts say that it is the perfect base for Identity Theft and highly targeted phishing attacks.
This follows the exposure of 500 million of its user’s data in April 2021. A LinkedIn post states, “This is not a data breach, and no private member data was exposed. Our initial investigation has found that this data was scraped from LinkedIn and other various websites and includes the same data reported earlier this year in our April 2021 scraping update.”
In a further update, LinkedIn says the data is authentic. It claims that some came from its servers and combined with other scraped data to complete the data package offered.
LinkedIn hack or data scraping – the result is the same
This case is similar to TikTok, where we could ‘query’ the TikTok API and build a user database. It looks like the hackers intercepted the LinkedIn API to gather users information uploaded to the site. Cloud applications use core application logic connected to many APIs to deliver the data throughout the application. If the APIs are not secure, this exposes them to risks, especially with API code vulnerability or unlimited API calls. This can cause a big database leak, as we see in the LinkedIn case.
What to do if the LinkedIn hack affects you
First, access your LinkedIn account and change your password. It may help stop your LinkedIn account from brute force password attacks to get in. You should review privacy settings to limit what the public can see.
Second, go to Have I Been Pwnd. You can safely enter your email address to see if it is part of any Dark Web database. If your email is there, immediately and regularly change your password. You can also check if your password safety – go to the password tab.
Third, be ultra-cautious of phishing attacks. Don’t open any attachments or links unless you are absolutely sure that the email is legitimate.
Finally, there is personal data hygiene. Ten tips include:
Get a junk, disposable email address that you use for all social media and online forum interactions. Never use your work or private email address if there is any risk.
Get a ‘junk’ credit card for online use. Make sure it has a low limit that you can’t lose too much if hacked or use PayPal where possible.
Never store passwords, account information and secure ID like passport and drivers licence on your computer or in email contacts. Make sure you put them in a secure vault like Lastpass
Don’t overshare on social media. Partner’s and pet’s names, holidays, anything that can and identify you.