Bad actor offers up for sale data from 600 million LinkedIn members scraped from the site

Cyber News reports that this is the third time in four months that member information has shown up on a hacker forum.

securityhacker-istock.jpg

Image: iStock/iBrave

A data set including information from 600 million LinkedIn users showed up for sale on a hacker forum this week. That’s the third time in four months that scraped data from the networking site has been offered up for sale, according to a report from Cyber News

The data is all publicly available, such as full names, email addresses, links to social media accounts and other information from LinkedIn profiles. 

SEE: Data scraped from 500 million LinkedIn users found for sale online (TechRepublic)

Scraping data and collecting it in one place is not as serious as a data breach. A breach typically exposes private data that is protected by privacy protections and disclosure rules such as Social Security numbers and account information. However, credential stuffing is one of the most common cybersecurity attacks. As Scott Matteson explained in an interview with a security expert:

“Credential stuffing is the weaponization of stolen credentials (usernames and passwords) against websites and mobile applications. Lists of credentials stolen from one website are tested against other websites’ login pages to gain unauthorized access to accounts, in order to commit fraud.” 

In its 2021 State of Security Identity report, the firm Auth0 found that credential stuffing accounted for 16.5% of attempted log-in traffic on its platform. This bad actor activity reached a peak in March at more than 40% of traffic, as Jonathan Greig reported for ZDNet. 

Proofpoint recently reported that a threat actor linked to the Iranian government has been targeting researchers who specialize in the Middle East with credential phishing attacks.

People affected by a data breach have some legal recourse against the company that suffered the data breach, but the rules about data scraping are not as clear-cut. In 2016, LinkedIn sued hiQ Labs for scraping data from the networking site, arguing that this activity was a violation of the Computer Fraud and Abuse Act. LinkedIn lost the case when the US Ninth Circuit Court of Appeals ruled that data that is publicly available is not protected by the CFAA. 

TechRepublic contacted LinkedIn for a comment on the latest set of scraped data. The company did not respond.

In response to another scraped dataset that showed up in June, LinkedIn said that no private data had been exposed. Scraping data violates the company’s terms of service. The company also said that “When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.”

Also see