Data for 700M LinkedIn Users Posted for Sale in Cyber-Underground

After 500 million LinkedIn enthusiasts were affected in a data-scraping incident in April, it’s happened again – with big security ramifications.

A new posting with 700 million LinkedIn records has appeared on a popular hacker forum, according to researchers.

Analysts from Privacy Sharks stumbled across the data put up for sale on RaidForums by a hacker calling himself “GOD User TomLiner.” The advertisement, posted June 22, claims that 700 million records are included in the cache, and included a sample of 1 million records as “proof.”

Privacy Sharks examined the free sample and saw that the records include full names, gender, email addresses, phone numbers and industry information. It’s unclear what the origin of the data is – but the scraping of public profiles is a likely source. That was the engine behind the collection of 500 million LinkedIn records that went up for sale in April. It contained an “aggregation of data from a number of websites and companies” as well “publicly viewable member profile data,” LinkedIn said at the time.

According to LinkedIn, no breach of its networks has occurred this time, either:

“While we’re still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources,” according to the company’s press statement. “This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected.”

“This time around, we cannot be sure whether or not the records are a cumulation of data from previous breaches and public profiles, or whether the information is from private accounts,” according to Privacy Shark’s blog post, published Monday. “We employ a strict policy of not supporting sellers of stolen data and, therefore, have not purchased the leaked list to verify all of the records.”

There are are 200 million more records available in the collection this time around, so it’s probable that new data has been scraped and that it’s more than a rehash of the previous group of records, researchers added.

Security Ramifications of Data-Scraping

The good news is that credit-card data, private message contents and other sensitive information is not a part of the incident, from Privacy Shark’s analysis. That’s not to say there aren’t serious security implications though.

“The leaked information poses a threat to affected LinkedIn users,” according to Privacy Sharks. “With details such as email addresses and phone numbers made available to buyers online, LinkedIn individuals could become the target of spam campaigns, or worse still, victims of identity theft.”

It added, “expert hackers may still be able to track down sensitive data through just an email address. LinkedIn users could also be on the receiving end of email or telephone scams that trick them into sharing sensitive credentials or transferring large amounts of money.”

Then there are brute-force attacks to be concerned about: “Using email addresses provided in the records, hackers may attempt to access users’ accounts using various combinations of common password characters,” researchers warned.

And finally, the data could be a social-engineering goldmine. Sure, attackers could simply visit public profiles to target someone, but having so many records in one place could make it possible to automate targeted attacks using information about users’ jobs and gender, among other details.

“It is not uncommon to see such data sets being used to send personalized phishing emails, extort ransom or earn money on the Dark Web – especially now that many hackers target job seekers on LinkedIn with bogus job offers, infecting them with a backdoor trojan,” Candid Wuest, Acronis vice president of cyber-protection research, said via email at the time of the first data-scraping incident. “For example, such personalized phishing attacks with LinkedIn lures were used by the Golden Chickens group.”

Users should secure their LinkedIn accounts by updating passwords and enabling two-factor authentication.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!

Suggested articles

Business Email Compromise

Universities Put Email Users at Cyber Risk

DMARC analysis by Proofpoint shows that institutions in the U.S. have among some of the poorest protections to prevent domain spoofing and lack protections to block fraudulent emails.


  • Anon on

    Excellent post! RestorePrivacy reached out to the threat actor and confirmed the data source. He scraped the LinkedIn API: [external link removed]
  • Kolajik on

    I don't think only by updating passwords and two-factor authorization the users are going to secure against such types of scraping. It was not a breach, but merely collecting of OSINT. I would rather recommend to revisit privacy settings on their profile. For example to disable visibility of telephone number or email publicly on their profile, etc.
  • Mubeen Khan on

    It's quite devastating for all of us, but that incident teaches us to research more and enlightening the path towards a quantum internet, which might be a quicker adaptation in coming years soon.
  • Hisham Lamei on

    I can only repeat my saying since years. Why don’t we impose authentication for accessing the internet? We don‘t allow vehicles to be driven without car plates or drivers without driving licenses, so why don‘t we demand an identity key for authentication on the Internet. It for sure doesn‘t resolve identity misuse by 100%, but it will allow better allocation and misuse and eliminate about 80% of the vulnerabilities we are seeing today. Technologies like VIBE enable end-to-end authentication, encryption and tracking and scale by far better to fit the billion/trillion of connected systems on the Internet than most of the PKI based solutions. The multi-patent technology even enables authorities to regenerate private keys to decrypt illegal criminal communications and identify its senders or the therefore used identities on existence of a court order. #TrustNothingAuthenticateEverything
  • Ayman on

    So basically after this I am done.... the entire universe knows my info ... this is the 5th or 6th company leaking my info
  • Selt Mitchell on

    Its not LinkedIn that's LeakingOut... :D In reality, its your anti-virus that's using a shell-game company based in the US to agglomerate data through a krackerjack company that cannot be investigated off-shore. How do you think they manage to pickup (so many!) of the passwords ? Its the only way to scrape LinkedIn data in the first place, you gotta get passed the login prompt, and there's only a couple of companies that can "legally" manage to ride on your shoulder while you do that in all security contexts. (Even bypassing well-thought Microsoft enterprise protections). IT experts and Security experts alike, have all been duped in the past decade. Those anti-virus companies have been working for the other side all along with double agendas. Do your research on their companies, you'll see I speak the truth. They all merged with data-aggregators and data-resellers at some point in their existence. Its business 101; if you can have 2 revenue sources, the more money you make.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.