152 comments

[ 2053 ms ] story [ 5182 ms ] thread
> making this one of the largest LinkedIn data leaks to date.

one of.

This is insane.

Kinda makes you want to transfer all your cloud ops to Azure doesn't it.
So the attacker claims to have harvested the data via the API. Looks like you can get any user profile if you're an approved developer.

Possible the attacker slowly downloaded the whole database.

Now we will see an increase in SIM swapping attacks via this data dump and tons of fraud happening here.

I hope they didn't use their phone number to login to their bank, crypto exchange or other social media accounts.

Using phone numbers for login should be completely discouraged.

If someone merely knowing your phone number is a security risk that really seems like a flaw that should be addressed with the phone system and not by treating the numbers like sensitive information.
True, but whether or not it should be or not doesn't change the fact that it is the current state of the US.

And it's not really just the phone number, but the combination of personal info that allows for social engineering - without having the existing customer confirm the transfer.

I've seen worse. All you need to use a credit card is the number printed on it and still we hand it to strangers to run off with for 3 minutes like nothing.
> and still we hand it to strangers to run off with for 3 minutes like nothing.

Why would you do that?

I'm joking about the restaurant experience. Nowadays the staff usually comes out with a portable machine though.
I saw that in Canada but it's rare in the US.
There was a time when there were whole books of said numbers and it wasn't a security risk. We've definitely gone wrong with our assumptions somewhere.
This is why it’s good to only share data with LinkedIn that you expect to be leaked.
Crazy that this is the default stance now for places that should know better
My LinkedIn data leaked? Honestly, it's free advertising.
To the extent the leak goes beyond public-facing profile information, this is far from "advertising".
That's fair and for many it's not good at all - I was speaking strictly for myself. I didn't link my account to any other social media, nor did I put a phone number on there.
And what in that leak is going to make you stand out from the other 699,999,999 users? rand(oneLuckyUser) == You???
This is why it’s good to only share data with ANY SERVICE that you expect to be leaked.
Where are all the folks who were complaining about the LinkedIn anti-scraping court case destroying the open web? This is what LinkedIn is fighting against.
It is easy for hacker(s) to claim they got this data from scraping. From the article, we can't be confident that this is true (completely or in part).
> Where are all the folks who were complaining about the LinkedIn anti-scraping court case destroying the open web? This is what LinkedIn is fighting against.

I find comments of the form "where are all the folks who were complaining..." to be tiresome. Asking "where are all the folks" suggest that "all the folks" don't exist because... you don't see them on Hacker News? ... because ... you want to make a dig at LinkedIn? ... because [reasons]?

Unless I'm missing something (let me know), this comment seems like a rant based on speculation. Why believe a hacker who says they got this from scraping?

I'm not defending LinkedIn, to be clear. I'm asking for more {elaboration, logic, specificity} and less rhetoric in the comments here.

Scraping the open web is NOT the same as accessing privileged APIs to collect private information. If LinkedIn made their pages accessible to anyone as a sort of public service (as they used to), people would think twice what data to put on there.

The problem is the same as with Facebook: they pretend the data is private and secure, then let people siphon it away. Public and private networks are both fine, but huge corporations trying to mix both usually end up with the worst of both worlds.

You want to defend a company that uses shitty dark patterns?
But is this really a problem? LinkedIn is "advertising for yourself", presumably to get a job. With the exception of my phone number, I'm ok with the world knowing this information about me. It's the equivalent of a phone book and I'm putting myself out there and advertising myself in the hopes of getting a job.
My thoughts exactly. Given the nature of LinkedIn there is absolutely nothing I'd put there that I didn't want others to see.
Isn't the revealing thing about these leaks not the data that you provided but the data they have associated to you from other means?
I imagine most people do not share your attitude, me included. Especially profile sections set to private staying that way needs to be trusted.
And emails not falling in the hands of spammers is always nice.
I feel like the lines between a data leak and large scale scraping are getting blurred. At least in their impact for the user. Which is a bad thing as it will support the "so what" attitude that many people have toward their data.

It is a fact that all this data is already being crawled by bot nets.

If all data is leaked at once, this is similar to a large scale successful crawling of the site. At least from a user perspective.

So I get what you are saying. It sounds more dramatic than it actually is. It is still a massive leak. But from a pool that scummy businesses have been thoroughly scooping from already anyway.

Are these details publicly-available for the scraping though?

I'd be suspicious it was an employee with internal access to the data or someone who had hacked such an employee's computer. Of course they wouldn't admit such criminal act and risk getting caught, they'd claim a route anyone could use.

If the geolocation data is fine grained I would hope not.
> LinkedIn is "advertising for yourself"

Not anymore, really. For years now you can't view someone's profile without logging in.

Yeah but the people who want to find you there have accounts.
I have no problem with people accessing my data, but only so long as it's people who have a valid reason to access that data. In the case of LinkedIn, I don't mind my connections, coworkers, and (reluctantly) recruiters seeing what's on my resume. I do mind a random hacker accessing that information, selling it to anyone who'll buy, and those people then using that data for things that probably aren't related to offering me employment.
How do you know someone accessing your data through the Web site is a recruiter?
I look their details up in this spreadsheet of 700 million people I've got.
It’s good to hear that it hasn’t affected you personally, but the severity of the leak must be assessed based on the privacy that was reasonably expected by users. LinkedIn has not met their duty to protect their personal information and that alone is enough to say: yes, it’s a problem.
Yeah I agree that LI hasn't done a great job of protecting their data from being misused. But that's the nature of social networks though, data is to be shared in order to build the network. As another commenter said, just don't put in anything you don't want people to find out. Absolute privacy cannot be achieved when you give out your information willingly. To paraphrase WOPR, "the only way to win the game is to not play."
What about your job hunt status, openings you've applied to, DMs?
if you look at the sample image there are data points like "inferred salaries", "inferred years of experience", number of connections (and possibly other stuff) that somebody may or may not have wanted to advertise to the universe.

the leaking of semi-public data (over which we may have some control) alongside "inferred bits" and behavioral data (over which we don't) and combined with other legally or illegally obtained sources means that individuals are facing an information environment where long held assumptions about who knows what no longer hold.

lots of people still don't seem to realize what a crushing downgrade it is in all senses (economic, social, political) to be a transparent, mined entity with no sovereignty

What do you think is a good solution to this problem?
there are many ways to skin this cat if one was motivated enough to put their mind to it... but some suggestions anyway:

never have 700M profiles in one place. decentralization by default - large scale centralization only when absolutely needed and with rigorous controls as a public (or highly regulated) good.

never create portable / tradeable behavioral profiles that can be linked to individuals. what can happen will happen and is happening.

never offer trivial free services in exchange for significant private data. establish a respectful and healthy client/user relation without hidden third parties in the loop

My understanding is that it was "advertise yourself within your network". I dont want my name and face on a billboard for just anyone....

Also, keep in mind that LI has contact information and passwords people might re-use

Not really. Anyone who has an account can see profile. It's been a go-to for journalists for a long time.
You can set your profile to only be viewable to connections or second degree connections
You can also "hibernate" your account to disable it completely until you log in again. I just did this; my go-forward strategy will be to resurface and collect connections anytime I switch jobs, then hibernate it again when I no longer need it. That way it can serve its only real function of being a face for my job applications, and can be made invisible all other times.
More than half the value is letting people reach out to you when you're not actively looking. Otherwise let them use your resume.
Well I can see your point, but this is not exactly the same.

As a thought experiment imagine that someone now builds a website called Linkedout and they post your profile with a layover animation resembling a big red stamp which reads 'Slacker'. I guess you are not OK with THAT information about you.

Oh funny I actually thought about same name

LinkedOut: A decentralized 'paid' job profile site for professionals, not recruiters. Where you decide who can see your profile/data and contact you.

I might just build this,but with a better name, lol

Isn't that what someone that works at Slack? If they're getting basic employment details that badly wrong, then they're not very useful.
> With the exception of my phone number

You can get it from 2019 FB leak of 533M accounts, dumped for free this April. My boss is in there and phone number is correct.

I'm there and even received few scam calls from foreign countries. Ironically, I cancelled my account in 2019.
Do you care to share some of your private messages here in this thread?
The article does not explain what info beyond public profiles had been stolen. You can already google search LinkedIn making this data leak very low impact
Seems like just the phone number and email.
Yeah missed that. My LinkedIn api experience is dated, are those visible via api?
Kind of ambiguous from the article's description of "exploiting the API."
The Linkedin API is dated. So you are probably up to date ;)
it bypasses privacy settings users may have set up. e.g. not everyone can see my contact info
Now when cold-calling scammers that buy lists from ZoomInfo say they 'got my info from LinkedIn' they may not be lying.
If Microsoft can't safely code its apis what hope does anyone else have?
This is an excellent question/framing. The security model used in the industry right now is insane and doomed to fail, and yet it is relentlessly pushed forth and defended.
Microsoft have never exactly had a reputation of security-conscious developments. However you do have a point: building secure software is close to impossible, and that's why we should build software that collects the smallest amount possible of personal information.
LinkedIn became crap a long time ago. Let's make https://www.polywork.com the default way to share your achievements.
Looks terrible.
Design looks like a kid tv station. I scrolled through weird animations to get no info at all. I closed the page.
Sorry, but looks like vaporware, and the company (Kalo) seems scammy: broken website, no activity for years even when they claim to have raised millions, etc.
Can't tell what it does from the website.

It scrolljacks you from the beginning and shows a lot of cartoon characters and trite phrases.

It doesn't even do anything yet but ask me to join a waitlist. This is supposed to replace a social network with 700 million users?! It looks horrible.

Hmmm no I think I'll stay on the one people have actually heard of where you actually get scouted.
Not sure if the waitlist/vip method is well suited to this.
I've never seen a website chug so badly on my machine, I barely got 5fps on any of that page
no real information on the landing page, only hype. I guess it is for vc folks not users...
Then they complain when people scrape their site...
FWIW, I've been scrubbing my social profiles. LinkedIn, Yelp, Facebook, etc.

Barest of bones. Removing all connections, photos, posts, personal details. (I know the damage is already done. The aggregators never really delete anything.)

Why not just out right delete my profiles? I'm squatting. To ensure they're not used as socket puppets.

After a beloved coworker passed, their profile got highjacked. Ten years later, I'm still so angry about it that I could just spit.

> To ensure they're not used as socket puppets.

sock puppets :)

Done much network programming lately?

Socket pups sounds like such a lovely alternative to sockpuppets.
I’ve been doing the same. The potential downside risk of having LinkedIn/Facebook/Instagram profiles just keeps growing and growing. I’m a complete ghost on the Internet. I have Google alerts set up for my names and email addresses, and I regularly attempt to docs myself to find any leaks. I also can’t understand why anyone in the public eye doesn’t completely sanitise their social media profiles. The amount of people brought down by 10 year old stupid tweets is insane.
>The aggregators never really delete anything.

Sort of. Data that is 5+ years old is pretty stale. How many things don't change over that period of time and how can you be sure that they haven't changed? The most valuable things are phone numbers and email addresses. We expect those to be maintained so we can re-establish contact with old friends.

Same, but also adding a lot of fake data. Then again, they're probably smart enough to figure out what is real.
But if you made it a thing to daily post fake things so that the activity looks normal, can you eventually convice the social overlords you are someone else?

Relocate yourself to another city/state/country in your profile. Daily make posts about things occurring in that new location. Make those posts in sync with local time. Of course using a VPN endpoint that correlates.

I am surprised there is not a service for this!
Check out Redact(https://redact.dev/).
Thanks for the tip! Miss google on the services
Sucks, but heres why no google support:

From the redact.dev FAQ page:

Why don't you support anything made by Google or Apple? At this time, we are reliant on both Google and Apple to be listed in their respective app stores. As such, we have been advised that in order to remain in good standing we should not offer support for these services.

How do you know you can trust this app, by the way?
this is the right approach
I would do this, but my data has been up in social media long enough that I don't believe it makes a significant difference if I superficially "delete" it now. Maybe I'm wrong?

At this point, I just don't add anything new. If they're going to host my content ad infinitum, I might as well use their storage space and bandwidth.

I guess it probably would be worth ditching LinkedIn. There's no good reason why a [worthwhile] prospective employer would require it.

The best time was not to do it in the first place. The second best time is now.

Your past self, current self, and your future self are different people. Don't give in to sunk cost fallacy here.

This. The best way to erase social media is to replace the account with a bunch of BS. Most of these companies are too cheap and Zucker's "move fast" culture probably doesn't involve database record versioning. Also because it's expensive. The old SET _deleted_=1 is pretty much their main ace in the hole to f*k you. Hell, even if they do versioning, just keep filling the profiles with enough noise and they won't be able to filter it all out unless they somehow index and data warehouse your profile from the decrepit old backup. At that point, you are just hoping their schema changes, the logistics, and their bad practices are enough to prevent that from being cost efficient.
I saw someone on here had a program that went in your profile and rewrote all posts with garbage data before you deleted it. Like for Facebook, Twitter, Discord, etc. That way you know their database is filled with junk data. I'd really like to know what that was again so I could peak at it in case I ever wanted to do that.
> I'm squatting. To ensure they're not used as socket puppets.

Good idea. I've noticed more of those popping up. My wife has an Instagram impersonator that constantly spams some kind of essential oils crap or other beauty product snake oil.

I had someone do that to me when I've been -still alive-... just posting the weirdest shit right on other people's pages after adding a bunch of my friends for a cheap laugh.

It was literally just some idiot binging on drugs who thought it was really funny until i ran over to his place and kicked his door in. I had people ask me what the hell that was about for YEARS afterwards. How do you explain to all these people at parties or whatever that you just happen to know stupider people than they do?

don't put any real info on those things beyond like your name ... really.
Is this a "real" leak or "just" scraped profiles?
Looks like scraped with additional data from other sources. Linkedin doesn't have your Facebook account, but it included in the database sample
Not surprising really.

A few years back Hotmail/Outlook were returning people's Twitter/LinkedIn handles for emails sent/received. It had been noticed you could scrape that fairly easily at scale. With one email account you could check up to 30000 email addresses before being flagged by Outlook.

Slightly longer ago you could simply iterate 1...n on LinkedIn URLs to find someone's profile, by converting the number to base12, you'd be redirected to the person's public URL.

Also their bulk contact upload. Take any data leak of email addresses, bulk upload them as contacts and then correlate email addresses to social profiles.

Facebook, Twitter and LinkedIn are all bad in that regard on the last method, though Facebook at least do not return people's URLs along with your contact upload (you're expected to know the person's face/name to decide whether you'd want to connect). The take away is that once you sign up, whatever information you put on your profile/account is pretty much available to anyone who wants it enough - and clearly there are plenty bad actors who want it. Obviously these social networks want to expand their network, but they also make it much more easy for data harvesting at unprecedented scale.

> Also their bulk contact upload. Take any data leak of email addresses, bulk upload them as contacts and then correlate email addresses to social profiles.

This is one of those functionality aspects all these social/networking sites fall foul of one way or another, be email or phone number relational suggestions. That and the aspect of this scraping of phone numbers or emails - even with the users permission, kinda moots the owner of those email and phone details. But does seem that once you give anybody your email or phone number, it kinda one way or another falls into the public domain level of privacy. Heck how many contact details via email or phone numbers do these sites hold on people who never even held an account with them.

Be nice if the law and data privacy had some global standards as this region/country by country aspect does nobody any good and in a World in which taxation works with the same model, do we really want to let data protection end up with data havens in much the same way as tax does.

Agreed. One of the poorer aspects of those 'functionalities' is friends of friends details get added, i.e. sharing your phone contacts or email contacts. There's people not on those networks that have a definite amount of information about them on there anyway.
From OP,

> He claims the data was obtained by exploiting the LinkedIn API to harvest information that people upload to the site.

> our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed.

If the attacker is telling the truth, Then somehow the attacker has gained access to privileged API of LinkedIn which gives out more fields than those listed in the official LinkedIn API doc[1].

If LinkedIn is telling the truth, Then the source of breach is most likely one of the many data brokers who have been breached several times in the past[2].

[1] https://docs.microsoft.com/en-us/linkedin/shared/references/...

[2] https://news.ycombinator.com/item?id=21606415

I have said it many times before. Unless and until you make companies pay exorbitant amount of money when your data gets stolen from them, the companies will never be serious enough about security. We had the whole Equifax fiasco, and nothing has changed.
My lord, how many times has this happened to LinkedIn? Fuckin ridiculous. Need some public policy to hold these companies more accountable when this happens, so it will happen less.
Isn't this just data that people choose to make public on linkedin?
I wonder. I definitelly don't have my phone number and e-mail address visible to public (this has a purpose - if someone can find it, it means they at least spent 30 seconds of their life to issue a search query in Google) and I think most people don't as well. But that's the same thing with FB 2019 - my phone number was leaked, but I never made it public. Why would I.
This is just basically the data that's publicly available anyway unless you've locked down your profile. That sort of defeats the purpose of LinkedIn though since you're trying to get people to contact you about jobs etc.

I wish LinkedIn would just go away, it's turning less into a job specific site and more of another facebook full of idiotic political posts etc. I'd rather not have to deal with it at all but it seems employers still sort of expect you to use it.

My actual goal with LinkedIn is to be able to search people whom I have worked with that now work with some random company I am curious in now. “Oh, huh, LinkedIn had a leak, who do I know there, oh, they were reasonable people, probably an error then.” I must confess a certain curiosity on the inferred salaries I wonder how accurate they are and if we will see the whole data dump at some point.
If I put on my thickest tinfoil hat, I might even think these continuous data leaks are deliberately happening to get users/consumers normalised towards expecting zero privacy or corporate accountability going forward.
By including a description of your supposed hat, you kind of pre-negate the content of your post.
I'm curious. Was Linkedin always so bad at securing its (our) data or things have gone downhill ever since the acquisition?

It is becoming a regular thing, almost part of the news cycle. "In other news, yesterday was the biannual data leak from Linkedin".

It is outrageous.

It was always that bad. In fact it probably used to be even worse.
I've know a few people who worked at LinkedIn prior to the acquisition. They say it was worse before.
At one point, early on, they lost everyone’s passwords. Doesn’t get much worse than that.
I'm curious enough to ask the question - having read the article and seen what data was leaked - isn't this "leaked data" the very same data that Linked In is selling to users as part of its Premium Offering?
IMO it seems to be exactly the same thing.. LinkedIn has never made itself out to be respectful of privacy, so I'm really not surprised.
Well, they finally got me to log in again after, what, 5 years? Good on them.