Data from 500M LinkedIn Users Posted for Sale Online

Like the Facebook incident earlier this week, the information — including user profile IDs, email addresses and other PII — was scraped from the social-media platform.

Personal data from more than 500 million LinkedIn users has been posted for sale online in yet another incident of threat actors scraping data from public profiles and slinging it online for potential cybercriminal misuse.

Hackers posted an archive containing data they said includes LinkedIn IDs, full names, professional titles, email addresses, phone numbers and other personally identifiable information (PII) on a popular hacker forum, according to a report in CyberNews on Tuesday.

The LinkedIn incident comes on the heels of a substantial leak of personal data from more than 533 million Facebook users last weekend.

The data set also includes links to LinkedIn profiles and other social-media profiles, according to the report. Moreover, to prove the authenticity of the info and provide a teaser of the data inside, the hackers responsible also leaked another 2 million records as a proof-of-concept sample, the report said.

Users on the forum can view the samples for about $2 worth of forum credits. However, the threat actor also appears to be auctioning off the crown jewel of the data-gathering — the 500-million-user database — for at a sum that is at least in the four-digit range, most likely in a Bitcoin equivalent, according to the report.

“As the leaked data contains no payment card details and no passwords, it’s of less value to attackers and won’t sell for much on the Dark Web anyway,” Candid Wuest, Acronis vice president of cyber-protection research, said via email. “However, it does contain valuable personal information (workplace info, email, social account links), which is why it’s not published it for free.”

LinkedIn Confirms Data-Scraping

LinkedIn officials confirmed  that data from the platform was included in the database and, like Facebook officials before them, said it was not due to a breach of its system but instead was scraped from the LinkedIn site.

“We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies” that includes “publicly viewable member-profile data that appears to have been scraped from LinkedIn,” the company said in a statement on its website, on Thursday.

“This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review,” according to the post.

Scraping is a common tactic used by threat actors to siphon public information from the internet that can then be sold online for profit and reused for malicious activity. Scraped data is often repurposed to create socially engineered phishing attacks, to commit identity theft,  brute-force credentials or spam victims’ accounts, among other nefarious activity.

LinkedIn also echoed Facebook’s comments that any misuse of platform members’ data by scraping violates its terms of service, and said the company will be investigating.

“When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable,” according to LinkedIn’s statement.

It’s unclear at this time if LinkedIn will face regulatory troubles due to the incident, such as being in violation of the General Data Protection Rule (GDPR). The GDPR is a European Union rule that went into effect in May 2018 that mandates that companies disclose data breaches within a certain period of time or face penalties. Facebook currently faces an investigation by Ireland’s Data Protection Commission (IDPC) over the earlier leak.

CyberNews has posted an online tool so people can check to see if their data was leaked in the most recent LinkedIn incident. If that’s the case, they should be extra-cautious in opening suspicious emails or text messages or links related to messages from senders they don’t recognize.

“It is not uncommon to see such data sets being used to send personalized phishing emails, extort ransom or earn money on the Dark Web – especially now that many hackers target job seekers on LinkedIn with bogus job offers, infecting them with a backdoor trojan,” said Wuest. “For example, such personalized phishing attacks with LinkedIn lures were used by the Golden Chickens group last week.”

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event. 



Suggested articles


  • D K on

    This seems to be scraping as described rather than a breach (though I have not gone through the data to verify). But the article keeps referring to a leak. GDPR would not be an issue for this. However the public unwillingly disclosing information is a big enough talking and education point.
  • Peter on

    The Facebook incident was due to a flaw in Facebook's system. The LinkedIn incident is simply a gathering of publicly available data. Probably the LinkedIn account holders with tighter security profile settings had less exposed publicly.
  • Priit on

    We need to find who are the criminals behind the cyber attacks and get them all arrested. This must include the FBI and the CIA to be involved catching the crooks.
  • Selt Mitchell on

    :/ Nobody looking further than their own noses. I know exactly where that data breach came from, I got the logs to prove it. I did contact the responsible party, but they negated responsibility and clamped down their infrastructure against engineers reverse-engineering their system. Meanwhile LinkedIn has the perfect legal defense "they don't care and plainly say so in their service agreement". Nobody stopped to wonder how the newer list also includes PASSWORDS ? It should be quite obvious... its a whale, its on everybody's computer. Alas, journalism is really dead, when you're quoting other articles that quote other articles that lead into an infinite loop, well... duh... !

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.