700 million exposed in LinkedIn data scrape — what to do now

700 1000000 exposed in LinkedIn information scrape — what to do at present

(Image credit: Carl Court/Getty Images)

Data scraped from about 700 million LinkedIn profiles — more than than xc% of the entire alleged LinkedIn member base — is existence offered for sale in an online cybercrime marketplace.

The data includes total names, workplace email addresses, dates of birth, workplace addresses, mobile phone numbers, Facebook and Twitter IDs and links, job championship, regional location and, in some cases, specific GPS coordinates — all of which appeared to be publicly attainable on LinkedIn profile pages.

Data leaks aren't 'breaches' — simply they're nevertheless screwing over users
HP Pavilion Aero 13 is company's lightest consumer laptop ever
Plus: I used the OnePlus 9 Pro for three months — and I've inverse my mind

Anyone who provided who provided all that information on their LinkedIn folio is likely to get more spam, exist the target of phishing attempts and perchance even be at greater hazard of identity theft.

More significantly, many of the entries incorporate very specific GPS coordinates that may reveal where a LinkedIn user lives, which could be useful to stalkers and burglars.

The solution, as always, is to give LinkedIn as picayune information virtually yourself as possible, and to prevent the LinkedIn app — or whatever social-media app — from accessing your GPS information on your telephone.

What you can do to protect yourself

You lot can avert being swept upwards in the next data scrape by providing just the minimum corporeality of data required to maintain a LinkedIn account, or in fact whatever social-media account.

Also exist sure to go into your telephone's settings and deny social-media apps access to your GPS coordinates.

In Android, go to Settings > Apps & notifications > App permissions > Location and determine which apps should always, should but sometimes or should never take access to your location. In iOS, you can exercise the aforementioned by going to Settings > Privacy > Location Services.

GPS data exposed

Even so, quite a few entries contained specific geographic coordinates, certainly many more than had provided email addresses or phone numbers.

It may be that those users used the LinkedIn mobile app and were not enlightened that the app could have grabbed their GPS data at the moment and uploaded information technology to LinkedIn servers.

The geographic coordinates were pretty piece of cake to interpret into map locations past copying and pasting the coordinates into Google. We constitute locations in New York City and Brazil, on the side of a route in rural French republic and in various cities in Bharat.

More alarmingly, nosotros found coordinates that zeroed in on specific addresses in the Boston suburbs and in a small town in Wisconsin. Private houses were singled out and visible in Google Street View and the houses' full addresses displayed. Names were attached to each of those listings.

That's pretty serious. It ways you or I could drive to those houses, pound on the doors and enquire for the residents by name — all because of information that was publicly attainable on LinkedIn.

If anyone whose domicile accost could be located with this data besides happened to provide their date of nascence along with the required full name, then an identity thief could try to use those three pieces of information to fraudulently open up accounts in that person's name.

What we found in the scraped data

Tom'south Guide had a look at the smallest sample of the scraped LinkedIn data, the only sample size that didn't crave registration with a dodgy website.

Nosotros found that while all 443 entries provided in the sample independent LinkedIn users' total names and LinkedIn IDs, URLs, usernames, most users voluntarily provided nothing else besides their general geographical location, i.east. a state, city or state.

In appears most users knew well plenty to requite LinkedIn nothing simply the bare minimum needed to maintain an account. Only about 7.v% of users in the information sample included a workplace email accost.

Personal email addresses were non asked for. Very few people provided mobile phone numbers, and we could observe only one in the first 100 entries.

2nd time this twelvemonth

This incident comes just a few months after a separate incident that saw the posting of data collected from 500 million LinkedIn user profiles.

"We cannot be sure whether or not the records are a cumulation of data from previous breaches and public profiles, or whether the data is from individual accounts," said Privacy Sharks, a website that analyzed a sample of the new data.

"Considering that there are 200 million new records bachelor, it is likely that new data has been scraped."

The person selling the data goes by the proper name TomLiner and posted a sale notice on the Raid Forums website, which is open to the public, on June 22. He or she is offering samples of diverse sizes, ranging from one million records to just a few hundred.

Another website that analyzed samples, Restore Privacy, said TomLiner told them the data had been scraped using LinkedIn'due south own API, or application program interface, a tool that lets your computer quickly interface with a website'south server.

LinkedIn's ain website declares that it has 756 1000000 users. If this stolen data actually amounts to 700 million users, that's about 92.5% of LinkedIn's entire user set. If you have a LinkedIn account, then your data is probably office of this.

Information alienation or non, your information is still exposed

In other words, this isn't technically a data breach, and no hacking was involved, simply as happened with the 500 1000000 LinkedIn profiles scraped a few months agone.

Then equally now, LinkedIn absolved itself of responsibility in a argument to Privacy Sharks: "This was non a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed."

It likewise isn't as bad as the 2012 LinkedIn data breach that revealed the private information of about 117 million LinkedIn users, including their personal e-mail addresses and their poorly encrypted passwords. Even Facebook founder Mark Zuckerberg had his electronic mail address and password exposed in that one.

Withal, that's going to be small-scale comfort to the people who trusted LinkedIn to baby-sit their data. As privacy skilful Melanie Ensign said in a recent opinion piece for Tom's Guide, "plenty of harm can be done with information that companies force users to share in public profiles."

"Whether the data was stolen, leaked, or scraped, the result for consumers is the same," Ensign added. "Their privacy was violated past a visitor they thought they could trust."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry melt, long-haul commuter, code monkey and video editor. He'south been rooting around in the information-security space for more than than fifteen years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Television news spots and even chastened a panel discussion at the CEDIA dwelling house-technology briefing. You can follow his rants on Twitter at @snd_wagenseil.