Just days after the personal data of 533 million Facebook users were posted for free on a hacking forum, a very similar leak has affected members of LinkedIn, the social network specializing in professional contacts and relationships. from Microsoft. In the case of this platform, there are also some 500 million affected users: their personal data has been put up for sale on a hacking portal in exchange for a “minimum four-digit price,” says the user who published the offer.
The wave of attacks on WhatsApp that use a close contact to steal accounts intensifies- Advertisement -
“Although we are still investigating this matter, the published data set seems to include publicly visible information that was extracted from LinkedIn combined with aggregated data from other websites or companies,” explained a spokeswoman for the social network to elDiario.es. Among the leaked information are the full names of the users, gender, phone numbers, emails, the link to their LinkedIn profile, links to other social networks linked to this platform, as well as data from their professional profile, such as titles. academics and work experience.
While LinkedIn offers more details about the leak, everything seems to indicate that the method used to compile this file has been the scrapping of the platform data. This system uses automated tools to systematically extract information from a website. Social networks prohibit launching them against their platforms to avoid generating databases like the one that has now gone on sale, which means that LinkedIn would have suffered some kind of security hole that hackers took advantage of to collect their users’ data .
Although we are still investigating this matter, the published dataset appears to include publicly visible information that was pulled from LinkedIn combined with aggregated data from other websites or companies.
“The scrapeo of our members’ data from LinkedIn violates our terms of service and we are constantly working to protect our members and their data, “said the same spokeswoman.
To prove the authenticity of the file, the hacker who put it up for sale allows access to batches of personal data of two million users in exchange for $ 2. “The author of the publication claims that the data was scrapeados from LinkedIn. Our research team has been able to confirm this by analyzing the samples provided on the hacker forum. However, it is not clear if the actor of the attack is selling updated LinkedIn profiles, or if the data has been taken or aggregated from a previous breach suffered by LinkedIn or other companies “, highlights Cybernews, the specialized cybersecurity portal that has revealed that the data had been put up for sale.
If the information contained in the file is new, the guideline in these types of leaks is to exploit them commercially as much as possible. The cybercriminal sells it to all interested parties, who in turn resell it if they find buyers, either complete or divided into groups, countries or workers of a certain company. As time passes and more eyes access it, it loses value. In the case of the leak of 533 million Facebook users, the file had been on sale for at least two years until an anonymous user ended up posting it for free.
The scrapeo Non-consensual was also the method of collecting the leaked Facebook data. Mark Zuckerberg’s company has acknowledged that it suffered a vulnerability in its tool to search for people based on their phone number, a functionality that was active on both Facebook and Instagram and that had to be disabled after the attack. In his case, the breach has exposed names, telephone numbers, emails, gender, date of birth, place of residence, marital status or job position.
Although the scrapeo of data from social networks does not allow access to sensitive information such as passwords or private messages, the fact of being able to accumulate so many details of a person’s digital life causes them to be a very precious resource to carry out cyberattacks. “You always have to check what type of information has been exposed, because with a phone number or an email you can prepare much more targeted attacks. If you also have the location, full name or date of birth you can add factors of the veracity of this attack so that the victim falls into the trap much more easily, “Ruth García, from the National Cybersecurity Institute, recently explained to this medium.
In fact, both the Facebook and LinkedIn filtration include the so-called Facebook ID and LinkedIn ID, identifiers that social networks assign to each user and that do not change even if they change their name or any other data in their biography, turning them into the most useful method of tracking your activity over long periods of time.
To avoid the risks associated with this type of leakage, experts recommend not always using the same data (such as email or username) in all services, and of course using different passwords in each of them. This makes it difficult for cybercriminals to cross information between leaked databases and others. If the same password or a similar key is used on all platforms, if it is exposed in a single security breach, all the online services of that user would be in a high risk state.
Another tip is to periodically review the services that alert you if any of our personal data has been exposed. The most recommended is Have I Been Pwned?, developed by a Microsoft executive. For a few hours, this database of security breaches has already allowed us to search if our email has been compromised in the great leak that has affected Facebook, although at the moment not in the LinkedIn one.