500 million LinkedIn users affected by data scrape

The private information of around half a billion LinkedIn users has been published online for sale as part of a database file.

“An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author,” website Cyber News reported.

According to LinkedIn, the database containing user data was posted on a website known for its popularity among hackers and other online malicious entities. LinkedIn denied the allegations of a full-on data breach taking place, instead clarifying that some of the data scraped and put for sale is public and viewable by other LinkedIn users.

“We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies,” LinkedIn said.

“It does include publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review,” the company added.

While this makes the data scrape seem more benign, it is hardly an innocent act of ‘data aggregation’. Details such as names, emails, job profession and location are among a category of data called ‘personally identifiable information’, something which is of great use to hackers and online scammers.

But what exactly is personally identifiable information and why would hackers want it?

Under the European Union’s Data Protection Directive, which has been in effect since 1995, before its full implementation three years later, personal data includes everything that can be used to identify any one person in real life. This includes their passport or ID number, physical descriptors, social or cultural descriptors, and more.

Moreover, the directive specifies that it solely “applies to data processed by automated means (e.g. a computer database of customers) and data contained in or intended to be part of non-automated filing systems (traditional paper files).” What this means in effect, is that data processed by a human being in a personal or household context does not fall under this legal framework.

Hackers can use personally identifiable information to fine-tune phishing attacks and extort their victims for large amounts of money. The more personal information hackers have about a user the more realistic they can present their phishing emails or messages appear, raising the probability that an individual is duped and falls into their trap.