If someone merely knowing your phone number is a security risk that really seems like a flaw that should be addressed with the phone system and not by treating the numbers like sensitive information.
True, but whether or not it should be or not doesn't change the fact that it is the current state of the US.
And it's not really just the phone number, but the combination of personal info that allows for social engineering - without having the existing customer confirm the transfer.
I've seen worse. All you need to use a credit card is the number printed on it and still we hand it to strangers to run off with for 3 minutes like nothing.
There was a time when there were whole books of said numbers and it wasn't a security risk. We've definitely gone wrong with our assumptions somewhere.
That's fair and for many it's not good at all - I was speaking strictly for myself. I didn't link my account to any other social media, nor did I put a phone number on there.
Where are all the folks who were complaining about the LinkedIn anti-scraping court case destroying the open web? This is what LinkedIn is fighting against.
> Where are all the folks who were complaining about the LinkedIn anti-scraping court case destroying the open web? This is what LinkedIn is fighting against.
I find comments of the form "where are all the folks who were complaining..." to be tiresome. Asking "where are all the folks" suggest that "all the folks" don't exist because... you don't see them on Hacker News? ... because ... you want to make a dig at LinkedIn? ... because [reasons]?
Unless I'm missing something (let me know), this comment seems like a rant based on speculation. Why believe a hacker who says they got this from scraping?
I'm not defending LinkedIn, to be clear. I'm asking for more {elaboration, logic, specificity} and less rhetoric in the comments here.
Scraping the open web is NOT the same as accessing privileged APIs to collect private information. If LinkedIn made their pages accessible to anyone as a sort of public service (as they used to), people would think twice what data to put on there.
The problem is the same as with Facebook: they pretend the data is private and secure, then let people siphon it away. Public and private networks are both fine, but huge corporations trying to mix both usually end up with the worst of both worlds.
But is this really a problem? LinkedIn is "advertising for yourself", presumably to get a job. With the exception of my phone number, I'm ok with the world knowing this information about me. It's the equivalent of a phone book and I'm putting myself out there and advertising myself in the hopes of getting a job.
I feel like the lines between a data leak and large scale scraping are getting blurred. At least in their impact for the user. Which is a bad thing as it will support the "so what" attitude that many people have toward their data.
It is a fact that all this data is already being crawled by bot nets.
If all data is leaked at once, this is similar to a large scale successful crawling of the site. At least from a user perspective.
So I get what you are saying. It sounds more dramatic than it actually is.
It is still a massive leak. But from a pool that scummy businesses have been thoroughly scooping from already anyway.
Are these details publicly-available for the scraping though?
I'd be suspicious it was an employee with internal access to the data or someone who had hacked such an employee's computer. Of course they wouldn't admit such criminal act and risk getting caught, they'd claim a route anyone could use.
I have no problem with people accessing my data, but only so long as it's people who have a valid reason to access that data. In the case of LinkedIn, I don't mind my connections, coworkers, and (reluctantly) recruiters seeing what's on my resume. I do mind a random hacker accessing that information, selling it to anyone who'll buy, and those people then using that data for things that probably aren't related to offering me employment.
It’s good to hear that it hasn’t affected you personally, but the severity of the leak must be assessed based on the privacy that was reasonably expected by users. LinkedIn has not met their duty to protect their personal information and that alone is enough to say: yes, it’s a problem.
Yeah I agree that LI hasn't done a great job of protecting their data from being misused. But that's the nature of social networks though, data is to be shared in order to build the network. As another commenter said, just don't put in anything you don't want people to find out. Absolute privacy cannot be achieved when you give out your information willingly. To paraphrase WOPR, "the only way to win the game is to not play."
if you look at the sample image there are data points like "inferred salaries", "inferred years of experience", number of connections (and possibly other stuff) that somebody may or may not have wanted to advertise to the universe.
the leaking of semi-public data (over which we may have some control) alongside "inferred bits" and behavioral data (over which we don't) and combined with other legally or illegally obtained sources means that individuals are facing an information environment where long held assumptions about who knows what no longer hold.
lots of people still don't seem to realize what a crushing downgrade it is in all senses (economic, social, political) to be a transparent, mined entity with no sovereignty
there are many ways to skin this cat if one was motivated enough to put their mind to it... but some suggestions anyway:
never have 700M profiles in one place. decentralization by default - large scale centralization only when absolutely needed and with rigorous controls as a public (or highly regulated) good.
never create portable / tradeable behavioral profiles that can be linked to individuals. what can happen will happen and is happening.
never offer trivial free services in exchange for significant private data. establish a respectful and healthy client/user relation without hidden third parties in the loop
You can also "hibernate" your account to disable it completely until you log in again. I just did this; my go-forward strategy will be to resurface and collect connections anytime I switch jobs, then hibernate it again when I no longer need it. That way it can serve its only real function of being a face for my job applications, and can be made invisible all other times.
Well I can see your point, but this is not exactly the same.
As a thought experiment imagine that someone now builds a website called Linkedout and they post your profile with a layover animation resembling a big red stamp which reads 'Slacker'. I guess you are not OK with THAT information about you.
The article does not explain what info beyond public profiles had been stolen. You can already google search LinkedIn making this data leak very low impact
This is an excellent question/framing. The security model used in the industry right now is insane and doomed to fail, and yet it is relentlessly pushed forth and defended.
Microsoft have never exactly had a reputation of security-conscious developments. However you do have a point: building secure software is close to impossible, and that's why we should build software that collects the smallest amount possible of personal information.
Sorry, but looks like vaporware, and the company (Kalo) seems scammy: broken website, no activity for years even when they claim to have raised millions, etc.
It scrolljacks you from the beginning and shows a lot of cartoon characters and trite phrases.
It doesn't even do anything yet but ask me to join a waitlist. This is supposed to replace a social network with 700 million users?! It looks horrible.
FWIW, I've been scrubbing my social profiles. LinkedIn, Yelp, Facebook, etc.
Barest of bones. Removing all connections, photos, posts, personal details. (I know the damage is already done. The aggregators never really delete anything.)
Why not just out right delete my profiles? I'm squatting. To ensure they're not used as socket puppets.
After a beloved coworker passed, their profile got highjacked. Ten years later, I'm still so angry about it that I could just spit.
I’ve been doing the same. The potential downside risk of having LinkedIn/Facebook/Instagram profiles just keeps growing and growing. I’m a complete ghost on the Internet. I have Google alerts set up for my names and email addresses, and I regularly attempt to docs myself to find any leaks. I also can’t understand why anyone in the public eye doesn’t completely sanitise their social media profiles. The amount of people brought down by 10 year old stupid tweets is insane.
I was going to ask if you said "docs" as in "doxxing" [0] but then a quick Wikipedia search got me to the etymology [1] of "doxxing" which comes from "docs" as in "documents"! TIL
Sort of. Data that is 5+ years old is pretty stale. How many things don't change over that period of time and how can you be sure that they haven't changed? The most valuable things are phone numbers and email addresses. We expect those to be maintained so we can re-establish contact with old friends.
But if you made it a thing to daily post fake things so that the activity looks normal, can you eventually convice the social overlords you are someone else?
Relocate yourself to another city/state/country in your profile. Daily make posts about things occurring in that new location. Make those posts in sync with local time. Of course using a VPN endpoint that correlates.
Why don't you support anything made by Google or Apple?
At this time, we are reliant on both Google and Apple to be listed in their respective app stores. As such, we have been advised that in order to remain in good standing we should not offer support for these services.
How do you scrub your Facebook profile? There aren’t good tools for it. Facebook itself only lets you do it one post at a time in their activity log. Their constant design changes have broken extensions that used to help you do it (https://chrome.google.com/webstore/detail/social-book-post-m...)
I would do this, but my data has been up in social media long enough that I don't believe it makes a significant difference if I superficially "delete" it now. Maybe I'm wrong?
At this point, I just don't add anything new. If they're going to host my content ad infinitum, I might as well use their storage space and bandwidth.
I guess it probably would be worth ditching LinkedIn. There's no good reason why a [worthwhile] prospective employer would require it.
This. The best way to erase social media is to replace the account with a bunch of BS. Most of these companies are too cheap and Zucker's "move fast" culture probably doesn't involve database record versioning. Also because it's expensive. The old
SET _deleted_=1 is pretty much their main ace in the hole to f*k you. Hell, even if they do versioning, just keep filling the profiles with enough noise and they won't be able to filter it all out unless they somehow index and data warehouse your profile from the decrepit old backup. At that point, you are just hoping their schema changes, the logistics, and their bad practices are enough to prevent that from being cost efficient.
I saw someone on here had a program that went in your profile and rewrote all posts with garbage data before you deleted it. Like for Facebook, Twitter, Discord, etc. That way you know their database is filled with junk data. I'd really like to know what that was again so I could peak at it in case I ever wanted to do that.
> I'm squatting. To ensure they're not used as socket puppets.
Good idea. I've noticed more of those popping up. My wife has an Instagram impersonator that constantly spams some kind of essential oils crap or other beauty product snake oil.
I had someone do that to me when I've been -still alive-... just posting the weirdest shit right on other people's pages after adding a bunch of my friends for a cheap laugh.
It was literally just some idiot binging on drugs who thought it was really funny until i ran over to his place and kicked his door in. I had people ask me what the hell that was about for YEARS afterwards. How do you explain to all these people at parties or whatever that you just happen to know stupider people than they do?
A few years back Hotmail/Outlook were returning people's Twitter/LinkedIn handles for emails sent/received. It had been noticed you could scrape that fairly easily at scale. With one email account you could check up to 30000 email addresses before being flagged by Outlook.
Slightly longer ago you could simply iterate 1...n on LinkedIn URLs to find someone's profile, by converting the number to base12, you'd be redirected to the person's public URL.
Also their bulk contact upload. Take any data leak of email addresses, bulk upload them as contacts and then correlate email addresses to social profiles.
Facebook, Twitter and LinkedIn are all bad in that regard on the last method, though Facebook at least do not return people's URLs along with your contact upload (you're expected to know the person's face/name to decide whether you'd want to connect). The take away is that once you sign up, whatever information you put on your profile/account is pretty much available to anyone who wants it enough - and clearly there are plenty bad actors who want it. Obviously these social networks want to expand their network, but they also make it much more easy for data harvesting at unprecedented scale.
> Also their bulk contact upload. Take any data leak of email addresses, bulk upload them as contacts and then correlate email addresses to social profiles.
This is one of those functionality aspects all these social/networking sites fall foul of one way or another, be email or phone number relational suggestions. That and the aspect of this scraping of phone numbers or emails - even with the users permission, kinda moots the owner of those email and phone details. But does seem that once you give anybody your email or phone number, it kinda one way or another falls into the public domain level of privacy. Heck how many contact details via email or phone numbers do these sites hold on people who never even held an account with them.
Be nice if the law and data privacy had some global standards as this region/country by country aspect does nobody any good and in a World in which taxation works with the same model, do we really want to let data protection end up with data havens in much the same way as tax does.
Agreed. One of the poorer aspects of those 'functionalities' is friends of friends details get added, i.e. sharing your phone contacts or email contacts. There's people not on those networks that have a definite amount of information about them on there anyway.
> He claims the data was obtained by exploiting the LinkedIn API to harvest information that people upload to the site.
> our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed.
If the attacker is telling the truth, Then somehow the attacker has gained access to privileged API of LinkedIn which gives out more fields than those listed in the official LinkedIn API doc[1].
If LinkedIn is telling the truth, Then the source of breach is most likely one of the many data brokers who have been breached several times in the past[2].
I have said it many times before. Unless and until you make companies pay exorbitant amount of money when your data gets stolen from them, the companies will never be serious enough about security. We had the whole Equifax fiasco, and nothing has changed.
My lord, how many times has this happened to LinkedIn? Fuckin ridiculous. Need some public policy to hold these companies more accountable when this happens, so it will happen less.
I wonder. I definitelly don't have my phone number and e-mail address visible to public (this has a purpose - if someone can find it, it means they at least spent 30 seconds of their life to issue a search query in Google) and I think most people don't as well. But that's the same thing with FB 2019 - my phone number was leaked, but I never made it public. Why would I.
This is just basically the data that's publicly available anyway unless you've locked down your profile. That sort of defeats the purpose of LinkedIn though since you're trying to get people to contact you about jobs etc.
I wish LinkedIn would just go away, it's turning less into a job specific site and more of another facebook full of idiotic political posts etc. I'd rather not have to deal with it at all but it seems employers still sort of expect you to use it.
My actual goal with LinkedIn is to be able to search people whom I have worked with that now work with some random company I am curious in now. “Oh, huh, LinkedIn had a leak, who do I know there, oh, they were reasonable people, probably an error then.” I must confess a certain curiosity on the inferred salaries I wonder how accurate they are and if we will see the whole data dump at some point.
If I put on my thickest tinfoil hat, I might even think these continuous data leaks are deliberately happening to get users/consumers normalised towards expecting zero privacy or corporate accountability going forward.
I'm curious enough to ask the question - having read the article and seen what data was leaked - isn't this "leaked data" the very same data that Linked In is selling to users as part of its Premium Offering?
152 comments
[ 2053 ms ] story [ 5182 ms ] threadone of.
This is insane.
Possible the attacker slowly downloaded the whole database.
I hope they didn't use their phone number to login to their bank, crypto exchange or other social media accounts.
Using phone numbers for login should be completely discouraged.
And it's not really just the phone number, but the combination of personal info that allows for social engineering - without having the existing customer confirm the transfer.
Why would you do that?
https://cybernews.com/news/stolen-data-of-500-million-linked...
Or is this a follow on with the rest of the data?
Either way, it's pretty shoddy that they haven't put a stop to it
I find comments of the form "where are all the folks who were complaining..." to be tiresome. Asking "where are all the folks" suggest that "all the folks" don't exist because... you don't see them on Hacker News? ... because ... you want to make a dig at LinkedIn? ... because [reasons]?
Unless I'm missing something (let me know), this comment seems like a rant based on speculation. Why believe a hacker who says they got this from scraping?
I'm not defending LinkedIn, to be clear. I'm asking for more {elaboration, logic, specificity} and less rhetoric in the comments here.
The problem is the same as with Facebook: they pretend the data is private and secure, then let people siphon it away. Public and private networks are both fine, but huge corporations trying to mix both usually end up with the worst of both worlds.
It is a fact that all this data is already being crawled by bot nets.
If all data is leaked at once, this is similar to a large scale successful crawling of the site. At least from a user perspective.
So I get what you are saying. It sounds more dramatic than it actually is. It is still a massive leak. But from a pool that scummy businesses have been thoroughly scooping from already anyway.
I'd be suspicious it was an employee with internal access to the data or someone who had hacked such an employee's computer. Of course they wouldn't admit such criminal act and risk getting caught, they'd claim a route anyone could use.
Not anymore, really. For years now you can't view someone's profile without logging in.
the leaking of semi-public data (over which we may have some control) alongside "inferred bits" and behavioral data (over which we don't) and combined with other legally or illegally obtained sources means that individuals are facing an information environment where long held assumptions about who knows what no longer hold.
lots of people still don't seem to realize what a crushing downgrade it is in all senses (economic, social, political) to be a transparent, mined entity with no sovereignty
never have 700M profiles in one place. decentralization by default - large scale centralization only when absolutely needed and with rigorous controls as a public (or highly regulated) good.
never create portable / tradeable behavioral profiles that can be linked to individuals. what can happen will happen and is happening.
never offer trivial free services in exchange for significant private data. establish a respectful and healthy client/user relation without hidden third parties in the loop
Also, keep in mind that LI has contact information and passwords people might re-use
As a thought experiment imagine that someone now builds a website called Linkedout and they post your profile with a layover animation resembling a big red stamp which reads 'Slacker'. I guess you are not OK with THAT information about you.
LinkedOut: A decentralized 'paid' job profile site for professionals, not recruiters. Where you decide who can see your profile/data and contact you.
I might just build this,but with a better name, lol
https://flockingbird.social
You can get it from 2019 FB leak of 533M accounts, dumped for free this April. My boss is in there and phone number is correct.
It scrolljacks you from the beginning and shows a lot of cartoon characters and trite phrases.
It doesn't even do anything yet but ask me to join a waitlist. This is supposed to replace a social network with 700 million users?! It looks horrible.
Barest of bones. Removing all connections, photos, posts, personal details. (I know the damage is already done. The aggregators never really delete anything.)
Why not just out right delete my profiles? I'm squatting. To ensure they're not used as socket puppets.
After a beloved coworker passed, their profile got highjacked. Ten years later, I'm still so angry about it that I could just spit.
sock puppets :)
Done much network programming lately?
[0] https://www.thefreedictionary.com/doxx [1] https://en.wikipedia.org/wiki/Doxing#Etymology
Sort of. Data that is 5+ years old is pretty stale. How many things don't change over that period of time and how can you be sure that they haven't changed? The most valuable things are phone numbers and email addresses. We expect those to be maintained so we can re-establish contact with old friends.
Relocate yourself to another city/state/country in your profile. Daily make posts about things occurring in that new location. Make those posts in sync with local time. Of course using a VPN endpoint that correlates.
From the redact.dev FAQ page:
Why don't you support anything made by Google or Apple? At this time, we are reliant on both Google and Apple to be listed in their respective app stores. As such, we have been advised that in order to remain in good standing we should not offer support for these services.
At this point, I just don't add anything new. If they're going to host my content ad infinitum, I might as well use their storage space and bandwidth.
I guess it probably would be worth ditching LinkedIn. There's no good reason why a [worthwhile] prospective employer would require it.
Your past self, current self, and your future self are different people. Don't give in to sunk cost fallacy here.
Good idea. I've noticed more of those popping up. My wife has an Instagram impersonator that constantly spams some kind of essential oils crap or other beauty product snake oil.
It was literally just some idiot binging on drugs who thought it was really funny until i ran over to his place and kicked his door in. I had people ask me what the hell that was about for YEARS afterwards. How do you explain to all these people at parties or whatever that you just happen to know stupider people than they do?
A few years back Hotmail/Outlook were returning people's Twitter/LinkedIn handles for emails sent/received. It had been noticed you could scrape that fairly easily at scale. With one email account you could check up to 30000 email addresses before being flagged by Outlook.
Slightly longer ago you could simply iterate 1...n on LinkedIn URLs to find someone's profile, by converting the number to base12, you'd be redirected to the person's public URL.
Also their bulk contact upload. Take any data leak of email addresses, bulk upload them as contacts and then correlate email addresses to social profiles.
Facebook, Twitter and LinkedIn are all bad in that regard on the last method, though Facebook at least do not return people's URLs along with your contact upload (you're expected to know the person's face/name to decide whether you'd want to connect). The take away is that once you sign up, whatever information you put on your profile/account is pretty much available to anyone who wants it enough - and clearly there are plenty bad actors who want it. Obviously these social networks want to expand their network, but they also make it much more easy for data harvesting at unprecedented scale.
This is one of those functionality aspects all these social/networking sites fall foul of one way or another, be email or phone number relational suggestions. That and the aspect of this scraping of phone numbers or emails - even with the users permission, kinda moots the owner of those email and phone details. But does seem that once you give anybody your email or phone number, it kinda one way or another falls into the public domain level of privacy. Heck how many contact details via email or phone numbers do these sites hold on people who never even held an account with them.
Be nice if the law and data privacy had some global standards as this region/country by country aspect does nobody any good and in a World in which taxation works with the same model, do we really want to let data protection end up with data havens in much the same way as tax does.
> He claims the data was obtained by exploiting the LinkedIn API to harvest information that people upload to the site.
> our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed.
If the attacker is telling the truth, Then somehow the attacker has gained access to privileged API of LinkedIn which gives out more fields than those listed in the official LinkedIn API doc[1].
If LinkedIn is telling the truth, Then the source of breach is most likely one of the many data brokers who have been breached several times in the past[2].
[1] https://docs.microsoft.com/en-us/linkedin/shared/references/...
[2] https://news.ycombinator.com/item?id=21606415
I wish LinkedIn would just go away, it's turning less into a job specific site and more of another facebook full of idiotic political posts etc. I'd rather not have to deal with it at all but it seems employers still sort of expect you to use it.
It is becoming a regular thing, almost part of the news cycle. "In other news, yesterday was the biannual data leak from Linkedin".
It is outrageous.