Around five hundred million profiles stolen from LinkedIn

LinkedIn is a social networking site whose purpose is to facilitate connections between individuals for work purposes. It can be said that LinkedIn is a kind of Facebook of the working world. The site is one of the most popular in the world in the professional scenario. Numerous users rely on this site to submit their CVs and job offers.

According to numerous sources, some 500 million profiles on LinkedIn have been put up for sale on the Dark Web. In a similar way to what had happened a few days earlier with Facebook, it seems that someone had used an automatic data collection system to read the public data of millions of web pages and then put them into a database. The computer technique in question is called Web Scraping, and can be carried out with the help of a great many tools.

The sites that are normally subject to this kind of technique are the most popular ones, which therefore have a lot of users within them, sites that do affiliate marketing, sites that, based on their target audience, offer information that can be used for lead generation (the practice of finding potential customers), advertising revenue that is falsified by fictitious visits.

Although technical skills are needed to carry out this kind of data collection, this system does not require any particular high-level skills. It is in fact a way to capture information that is already made public or private profiles by adding friendships of people one does not know.

To be clearer, it is as if a person very quickly started copying and pasting into a neat database the information that he or she considers useful for selling. Since it is an automatic system, this operation is done a million times faster.

It should also be added that the act of recording public information on a database is a practice that is also normally done by search engines and SEO sites. If the rumour that they only appropriated public data through web scraping were to be confirmed, the difference would lie in the illegal use and sale of this data. Anyone knows that if they put their phone number on a public page on the Internet, sooner or later they will be reached by unexpected and unwanted calls.

Basically, if a page is public and can be viewed by a browser, it can certainly also be read by an automatic system, which is the basis of web scraping. There are many ways to protect a site from this procedure, such as monitoring a single IP address that quickly moves across several pages. But if the malicious person has several IP addresses and some familiarity with programming languages, he or she can conveniently simulate a traditional, random access from various points around the globe. And the site administrator would see an increase in visits, but would have no proof that these visits are not from normal users.

Given the spread of dynamic IP addresses used by many operators, even the most careful system administrator will have serious difficulties banning certain addresses that seem suspicious to him. Blocking access to several classes of IP addresses could deny service to legitimate users who simply use the same provider to connect to the Internet.

There are other ways that the site could defend itself, such as asking people to confirm that they are not robots, but this would significantly decrease people’s access because they find it tedious to have to click every time to confirm that they are not an automated program.

It is therefore immediately clear that the best way to protect one’s privacy from this kind of action is undoubtedly to avoid entering potentially sensitive data on the Internet. If you need to advertise yourself, it is often compulsory to enter such data. An example might be a person who needs to find a job and puts their CV online together with their email address in order to be contacted.

The information collected in this way could be sold to anyone, to unprofessional and unscrupulous call centres, to scammers and malicious people of all kinds. One must always be very careful with all the data one enters into the network because there is never the certainty of total security.

However, information on the technique used has not been 100% confirmed, and we therefore advise users to change their profile passwords.

If the same password was also used for the e-mails associated with the profile, which is a good idea never to do, it would be advisable to change the passwords for these as well (and also the passwords for access to other sites and systems). Remember that passwords should be as complex and long as possible, should be unique, changed regularly, and should never be stored on accessible media, particularly on the net.

Although it is more cumbersome to log in, we advise you to always use browsers with cookies disabled, to always log out once you have finished working on the platform and to activate two-step access where present.

The privacy watchdog would also advise you to watch out in the coming weeks for any anomalies on your phone or in your account. There may be attempts to scam you with scam emails, unwanted phone calls or other illicit attempts.

Always keep in mind that it is never a good idea to put your data online unless it is strictly necessary. If a piece of data is made public on any site, anyone might be able to use it without your consent.

Moreover, even if the data is private, there is always the risk that someone could exploit a vulnerability to gain access to your profiles.

Attacks aimed at selling personal data do not only affect LinkedIn, but also many other companies and portals. For more information, please contact the site owner directly and follow the most common security guidelines.

In this link you will find the sources of the article.

It's possible to leave a comment as registered users to the site, accessing through social, wordpress account or as anonymous users. If you want to leave a comment as an anonymous user you will be notified by email of a possible response only if you enter the email address (optional). The insertion of any data in the comment fields is totally optional. Whoever decides to insert any data accepts the treatment of these last ones for the inherent purposes of the service that is the answer to the comment and the strictly necessary communications.

Leave a Reply