It has been revealed today that social media platform LinkedIn is the latest to suffer a website scraping attack at the hands of cyber criminals. Data belonging to over 500 million of its users has been posted online and is reportedly being sold to hackers.
The news comes only days after it was revealed that over half a billion Facebook users had their data posted online following website scraping.
Facebook has been downplaying the incident and has stated in an announcement that the social platform has no plans to notify its users of the data disclosure, as it is based on publicly available information and relates to a flaw that was patched prior to 2019.
The world’s eyes are now on LinkedIn to see how it will respond to the attack and whether it will take the decision to notify customers, even though the information was not hacked from the site but scraped from publicly available sources.
Following the news, security experts have been commenting on the incident:
George Papamargaritis, MSS Director, Obrela Security Industries:
“In the last week we have witnessed two of the world’s leading social platforms suffer data disclosures as a result of website scraping. Both incidents highlight the lengths and time cyber criminals will put into building profiles on internet users to carry out attacks or sell their data.
LinkedIn is still investigating the breach but it will be interesting to see how it responds to the incident and whether it believes users that have been impacted need to be informed.
Anyone who has been impacted by this latest incident should be extra vigilant for phishing attempts, where cybercriminals will use the information obtained to make their scams look genuine. While no financial information was stolen, cybercriminals could use the information to tailor phishing scams to make them feel more authentic, which will provide them with an avenue to monetise on the data.”
Lewis Jones, threat intelligence analyst at Talion:
“This incident appears to show close similarities to the incident affecting Facebook earlier this week, as the attackers have not actually penetrated the internal systems but collected the data from the public facing websites containing LinkedIn profile information.”
How can companies prevent website scraping?
“Website scraping is a real problem for many organisations, particularly for social media companies with large data sets. Completely preventing website scraping can be difficult, Facebook has found this and had to make significant changes to how its platform worked to minimise this. Ultimately it becomes a balance between how much information you want to make publicly available and locking down your website. The simplest way to prevent a website from being scraped is to block multiple requests from the same IP address. Other methods like requesting login credentials for access, using CAPTCHAs, and changing the website’s HTML settings regularly can also be effective.”
What is your advice for how LinkedIn should handle the breach?
“LinkedIn should be mindful of the negative press that Facebook has received over the past week in how it has dealt with a similar incident. My advice would be to contact users affected as soon as possible to ensure that they are given the best opportunity to prevent any follow up attacks. LinkedIn should also consider how much information users can see without access and how this is used by web crawlers and 3rd party websites.”
Any advice for users that have had their data scraped?
“While It initially appears that no sensitive information, such as financial data, has been obtained, LinkedIn IDs, full names, email addresses, phone numbers does appear to have been collected by the attackers. My advice for users who may be affected is to change your password to a strong password, enable two factor authentications, be wary of unexpected connection requests, be wary of Phishing emails/messages and finally ensure you keep anti-virus software up to date.”
Sam Curry, Chief Security Officer, Cybereason
“The heart of the issue in the reported Facebook and LinkedIn data leaks is that the bad guys are getting better at this and at a faster rate than the good guys. That means the gap is growing in an accelerated way. It’s like seeing a Tesla race against someone on a 10-speed bicycle. At the start they are neck and neck, but about 5 seconds in the Tesla is gone. A day later there is 1,000 miles between them and there is no turning back. The bicycle simply can’t keep up with the sophistication of the Tesla or any car for that matter.
LinkedIn should default to transparency and helping the users and customers. With great power, comes great responsibility. We expect a lot of those who have the privilege of holding so much data. Live up to it. In the end, they must make some tough decisions in the next few days, but only they know right now what needs to be done. History will judge them with perfect hindsight and it will be clear to all eventually if they don’t do the right thing.
The challenges of protecting data are growing exponentially because the problem is one of rates. The attackers are improving their proficiency at a faster rate than defenders, and what you are seeing now is the result of that being true for a while. We must find a way to leap ahead in defense and to change the rates or this will become a major drag on the tech engine for our economy.
The SolarWinds and Microsoft Exchange Server breaches along were overdue wake up calls as an industry. And data leaks the size of the ones being reported on Facebook and LinkedIn are drawing eyeballs because they are in the headlines. What about the breaches and data leaks that are just as likely to be severe that we never hear about? With any headline data breach or loss of consumer privacy, there are always several security messages that need to be absorbed, digested and adapted. The sad truth is that major innovations, good and bad, from the wheel to the internal combustion engine, to nuclear power and any of a dozen other disruptive innovations don’t let you say, “wait a minute, I need a moment to process.” This is another one of those: Cyber is part-and-parcel to the connected world and not a nice-to-have or the domain of hobbyists.”
Niamh Muldoon, Global Data Protection Officer at OneLogin:
“This is a very interesting technique used by malicious actors and attackers to gain access to valuable data and information, including contact information. One could potentially argue that all of this information is in the public domain, so is it technically an unauthorized disclosure, incident, or breach. However, the consent to use this contact information is clearly where the privacy is breached, as these impacted individuals will not have given permission for their data to be shared and/or used for the various sales or marketing activities, and most concerningly, for dark web activities such as social engineering and phishing.
Trust and Security brand leaders will always be fully transparent as to the use of contact information, including consent, and take proactive measures to protect their end-users and customers contact data. It is their responsibility to do so in order to prevent cybersecurity risks such as phishing and/or other social engineering threats.”