In a recent security incident, a hacker operating under the alias USDoD leaked a database containing the personal information of over 35 million LinkedIn users on the BreachForums.
BreachForums, has reemerged online with a new domain under the control of the notorious hacking group, ShinyHunters.
This leak follows a string of similar incidents involving scraped LinkedIn data, raising concerns about the platform’s security and privacy practices.
Table of Contents
Key Details
- The database was leaked in two parts: one containing 5 million user records and another containing 35 million records, and is 12 GB uncompressed raw data.
- The data predominantly comprises publicly available information from LinkedIn profiles: including full names and profile bios.
- While no passwords were included in the leak, millions of email addresses were exposed. This includes email addresses belonging to high-ranking US government officials and institutions, as well as various government agencies worldwide.
LinkedIn Data Breach Impact on Users
The leaked data includes a trove of personal information, including:
- Full names
- Email addresses
- Phone numbers
- Employer names
- Job titles
- Skills
- Workplace information
- Links to LinkedIn profiles and other social media accounts
- Professional titles and other work-related data
This information can be used by attackers to launch a variety of malicious attacks, including:
- Phishing attacks: Attackers can use the leaked data to send targeted phishing emails and text messages that appear to come from legitimate sources, such as LinkedIn or a user’s employer.
- These emails and text messages often contain links that, when clicked, will take the victim to a fake website that looks like the real website. Once the victim enters their login credentials on the fake website, the attackers can steal them.
- Spamming: Attackers can use the leaked data to send spam emails and text messages to millions of people. These spam messages can be used to promote scams.
- Brute-forcing passwords: Attackers can use the leaked data to try to guess the passwords of LinkedIn users and other online accounts. They can do this by using a computer program to try millions of different password combinations until they find the correct one.
- Targeted advertising: Your leaked data can be used to create detailed profiles of you, which can then be used to target you with personalized advertising. This can include ads for products or services that you are more likely to be interested in, as well as ads for scams or other malicious activities.
Even if your password was not leaked, you are still at risk from this data breach. This is because attackers can combine the leaked data with other information that is publicly available online, such as your date of birth and home address, to create detailed profiles of their potential victims.
Previous LinkedIn Data Breaches
One such event that shocked the professional networking community was the LinkedIn data breach of May 2016. While years have passed, understanding the specifics of this incident remains crucial for maintaining comprehensive online security.
While initially thought to affect only 6.5 million users, the true impact of the breach was far greater. In May 2016, it was revealed that data from 167 million LinkedIn accounts, including email addresses, hashed passwords, and LinkedIn member IDs, were compromised.
This data was stolen in a 2012 breach and later resurfaced online, putting the personal information of millions at risk.
April 2021: Cyber criminals have scraped and sold the personal data of 500 million LinkedIn users. This massive data breach is just the latest in a string of cyberattacks targeting major social media platforms.
June 2021: a hacker sold a scrapped LinkedIn database containing data of 700 million users.
What can you do to protect yourself?
- Change your LinkedIn password regularly. Choose a strong password that is at least 12 characters long and includes a mix of upper and lowercase letters, numbers, and symbols.
- Be careful about what information you share online. Be mindful of the information you post on social media and other online platforms. Don’t share your date of birth, home address, or other sensitive information publicly.
- Be aware of phishing scams. Don’t click on links or attachments in emails or text messages from people you don’t know. And be wary of emails that appear to be from legitimate sources, such as LinkedIn or your bank.
- Enable two-factor authentication (2FA) on your LinkedIn account. This will add an extra layer of security to your account and make it more difficult for attackers to break in.
- Be cautious with third-party applications: Only grant access to your LinkedIn profile to trusted third-party applications after carefully reviewing their terms and conditions.
- Report suspicious activity: If you notice any unusual activity on your account, contact LinkedIn immediately.
In addition to the 500 million confirmed leaked profiles, an additional 327 million profiles have been found for sale on a hacker forum. This means that the total number of affected users could be as high as 827 million, which exceeds LinkedIn’s actual user base.
The data breach is still under investigation, and it is not yet clear how the attackers were able to access all of this data. However, it is believed that they may have used a technique known as “web scraping” to collect the information.
This data breach is a stark reminder of the importance of protecting your online privacy. By following the tips above, you can help to protect yourself from becoming a victim of a cyberattack.