As the world’s go-to repository of professional details, LinkedIn was always going to be a target for cybercriminals. But as the company’s latest data leak shows, the platform’s data has now been so widely compromised that hackers have been able to package and sell the personal details of nearly 1 billion people without compromising a single system.
Reports the records of 92 per cent of the Microsoft-owned company’s users – 700m people – were being offered for sale for $6600 ($US5000) on darkweb sites spread quickly, with the data analysed and found to contain details including user email addresses, full names, phone numbers, physical addresses, geolocation records, personal and professional experience, and more.
LinkedIn was quick to look into the situation, emphasising in a statement that “this is not a data breach and no private LinkedIn member data was exposed”.
Instead, it appears, the data was ‘scraped’ from the LinkedIn site by bots that systematically load, copy and catalogue the details of all of the company’s users.
Information-rich sites often use CAPTCHA and other protections to prevent bots from scraping their data, but the wholesale compromise of LinkedIn – which suffered a similar breach when 500m credentials were leaked in April – was reportedly accomplished by abusing LinkedIn APIs that share data with other web sites.
“Cloud applications are mainly built with core application logic that is ‘connected’ to many APIs that deliver data throughout the application,” explained Oded Vanunu, head of products vulnerability with security giant Check Point Software Technologies.
“If the APIs are not secure this exposes them to risks” such as APIs that allow users to make an unlimited number of data requests,” he said, adding that “these incidents show that API security is very important while you build your application logic and infrastructure.”
The technique was the same as that used during the April breach, as well as the publication of 533m Facebook accounts during the same month.
It was also likely tapped for an additional data dump, revealed early this month, that added 300m LinkedIn accounts and brought the total number of records in this incident to over 1 billion.
Going where the data is
LinkedIn claims to be working hard to protect its users’ data.
“Members trust LinkedIn with their data,” the company wrote in June just as it did in April, “and any misuse of our members’ data, such as scraping, violates LinkedIn terms of service.”
“When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.”
Just how that accountability might be administered is yet to be seen – the fact that the leaker has apparently been able to compromise LinkedIn using similar means on multiple occasions suggests they have the upper hand for now – but the publication of so many users’ details raises bigger issues.
Reuse of user ID-password combinations is a major factor in breaches of company security, with billions of credentials readily available online and reused credentials long recognised as a key tool in compromising company security.
A recent SpyCloud analysis of 854 major credential dumps – which included nearly 1.5 billion records – found that 60 per cent of user name-password combinations had been reused across multiple accounts.
Security researchers were able to isolate 1.2 billion phone numbers, 70m ‘secret answers’ for password recovery, and 1m bank account details.
Interestingly, looking at the 270,000 government accounts involved in that breach, the share of passwords reused jumped to 87 per cent.
Given such high levels of password reuse, the scope of the current breaches means anybody using the same password on LinkedIn as on other sites has now handed over the keys to those services – leaving them, their families, and their employers exposed.
Social-media sites aren’t the only targets for such activities: a recent report found massive targeting of gaming sites, while last year a massive dump revealed 11 billion credentials from adult sites.
LinkedIn hacks have been happening as long as the company has been around, with the details of 6.5m user accounts reported stolen in 2012 and an additional 100m credentials discovered to have been compromised four years later.