Collected data makes it easier for spammers, phishers and stalkers
Data scraped from about 700 million LinkedIn profiles — more than 90% of the entire declared LinkedIn member base — is being offered for sale in an online cybercrime marketplace.
The data includes full names, workplace email addresses, dates of birth, workplace addresses, mobile phone numbers, Facebook and Twitter IDs and links, job title, regional location and, in some cases, specific GPS coordinates — all of which appeared to be publicly accessible on LinkedIn profile pages.
Anyone who provided who provided all that information on their LinkedIn page is likely to get more spam, be the target of phishing attempts and perhaps even be at greater risk of identity theft. More significantly, many of the entries contain very specific GPS coordinates that may reveal where a LinkedIn user lives, which could be useful to stalkers and burglars.
The solution, as always, is to give LinkedIn as little information about yourself as possible, and to prevent the LinkedIn app — or any social-media app — from accessing your GPS data on your phone.
What you can do to protect yourself
You can avoid being swept up in the next data scrape by providing only the minimum amount of information required to maintain a LinkedIn account, or in fact any social-media account.
Also be sure to go into your phone’s settings and deny social-media apps access to your GPS coordinates.
Android Users: Settings > Apps & notifications > App permissions > Location – Always, Sometimes, Never have access to your location.
iOS Users: Settings > Privacy > Location Services – Always, Sometimes, Never have access to your location.
GPS data exposed
However, quite a few entries contained specific geographic coordinates, certainly many more than had provided email addresses or phone numbers.
It may be that those users used the LinkedIn mobile app and were not aware that the app could have grabbed their GPS data at the moment and uploaded it to LinkedIn servers.
The geographic coordinates were pretty easy to translate into map locations by copying and pasting the coordinates into Google. We found locations in New York City and Brazil, on the side of a road in rural France and in various cities in India.
More alarmingly, we found coordinates that zeroed in on specific addresses in the Boston suburbs and in a small town in Wisconsin. Individual houses were singled out and visible in Google Street View and the houses’ full addresses displayed. Names were attached to each of those listings.
That’s pretty serious! It means you or I could drive to those houses, pound on the doors and ask for the residents by name — all because of data that was publicly accessible on LinkedIn.
If anyone whose home address could be located with this data also happened to provide their date of birth along with the required full name, then an identity thief could try to use those three pieces of information to fraudulently open accounts in that person’s name.
What we found in the scraped data
Thanks to Tom’s Guide (www.tomsguide.com), they looked at the smallest sample of the scraped LinkedIn data, the only sample size that didn’t require registration with a dodgy website. We found that while all 443 entries provided in the sample contained LinkedIn users’ full names and LinkedIn IDs, URLs, usernames, most users voluntarily provided nothing else besides their general geographical location, i.e. a country, city or state. It appears most users knew well enough to give LinkedIn nothing but the bare minimum needed to maintain an account. Only about 7.5% of users in the data sample included a workplace email address. Personal email addresses were not asked for. Very few people provided mobile phone numbers, and we could find only one in the first 100 entries.
Second time this year
This incident comes just a few months after a separate incident that saw the posting of data collected from 500 million LinkedIn user profiles.
“We cannot be sure whether or not the records are a cumulation of data from previous breaches and public profiles, or whether the information is from private accounts,” said Privacy Sharks, a website that analyzed a sample of the new data. “Considering that there are 200 million new records available, it is likely that new data has been scraped.”
The person selling the data goes by the name TomLiner and posted a sale notice on the Raid Forums website, which is open to the public, on June 22. He or she is offering samples of various sizes, ranging from 1 million records to just a few hundred.
Another website that analyzed samples, Restore Privacy, said TomLiner told them the data had been scraped using LinkedIn’s own API, or application program interface, a tool that lets your computer quickly interface with a website’s server. LinkedIn’s own website declares that it has 756 million users. If this stolen data really amounts to 700 million users, that’s about 92.5% of LinkedIn’s entire user set. If you have a LinkedIn account, then your data is probably part of this.
Data breach or not, your information is still exposed
In other words, this isn’t technically a data breach, and no hacking was involved, just as happened with the 500 million LinkedIn profiles scraped a few months ago. Then as now, LinkedIn absolved itself of responsibility in a statement to Privacy Sharks: “This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed.” It also isn’t as bad as the 2012 LinkedIn data breach that revealed the private information of about 117 million LinkedIn users, including their personal email addresses and their poorly encrypted passwords. Even Facebook founder Mark Zuckerberg had his email address and password exposed in that one. Still, that’s going to be small comfort to the people who trusted LinkedIn to guard their data. As privacy expert Melanie Ensign said in a recent opinion piece for Tom’s Guide, “plenty of harm can be done with information that companies force users to share in public profiles.” “Whether the data was stolen, leaked, or scraped, the result for consumers is the same,” Ensign added. “Their privacy was violated by a company they thought they could trust.”