Data scraped from 700m LinkedIn users appears for sale online

29 Jun 2021

Image: © metamorworks/Stock.adobe.com

For the second time this year, data from millions of LinkedIn users is up for sale online, potentially exposing nearly 19 out of every 20 users.

Reports of another batch of LinkedIn data being sold online have emerged, but this time 700m accounts are said to have been victim to the apparent data scraping.

With 756m users on the social media platform, this would mean nearly 93pc of LinkedIn members are involved in the incident.

RestorePrivacy.com posted a number of screenshots from a user who has claimed to have harvested data by exploiting LinkedIn’s application programme interface (API).

RestorePrivacy.com is a site that aims to “give you all the information and tools you need to restore your online privacy, secure your electronic devices, and stay safe online”.

The data reported includes full names, phone numbers, geolocation records, email addresses and personal and professional experience of LinkedIn users.

The data posted did not include any login information or financial data. There was information related to inferred salary, however.

When members of RestorePrivacy cross-referenced the 1m samples given on the post against public information available, they found it appeared up to date and authentic.

However, a spokesperson for LinkedIn said that the platform doesn’t have an API that could return all these types of data.

“Based on our current investigation, we’ve confirmed through sample analysis that several specific fields such as phone number, gender, inferred salary and physical address in this dataset did not come from LinkedIn.”

An earlier statement from a company spokesperson said an initial analysis indicated that the dataset “includes information scraped from LinkedIn as well as information obtained from other sources”.

“This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed,” they added. “Scraping data from LinkedIn is a violation of our terms of service and we are constantly working to ensure our members’ privacy is protected.”

A similar incident occurred in April of this year, when the data of 500m users was put up for a four-figure sum. LinkedIn clarified that this data was not obtained via a data breach, but had been gathered from a number of websites and companies, including its own.

In a statement issued at the time, LinkedIn said that the earlier dataset “does include publicly viewable member profile data that appears to have been scraped from LinkedIn”. The company stressed that this data was not lost through a breach, and no private member account data was compromised.

However, for users whose data is affected, risks include phishing attempts as well as identity theft.

With phishing attempts reportedly on the rise during 2021, the incident presents a potential point of vulnerability for the vast majority of the professional community on the social media site.

Updated, 9.15am, 30 June 2021: This article was updated to include a statement from LinkedIn.

Updated, 11.30am, 30 June 2021: The article was updated to include a further statement from LinkedIn regarding its APIs.

Sam Cox is a journalist at Silicon Republic covering sci-tech news

editorial@siliconrepublic.com