Attacked, Stolen and for Sale - Again

9246407257?profile=RESIZE_192XAfter 500 million LinkedIn users were affected in a data-scraping incident in April 2021, it has happened again with big security consequences.  A new posting with 700 million LinkedIn records has appeared on a popular hacker forum.  Analysts from Privacy Sharks found the data put up for sale on RaidForums by a hacker calling himself “GOD User TomLiner.”  The dark web advertisement, posted 22 June 2021, claims that 700 million records are included in the cache, and included a sample of 1 million records as “proof.”

Privacy Sharks examined the free sample and saw that the records include full names, gender, email addresses, phone numbers and industry information.  It is unclear what the origin of the data is but the scraping of public profiles is a likely source.  That was the engine behind the collection of 500 million LinkedIn records that went up for sale in April.  It contained an “aggregation of data from a number of websites and companies” as well “publicly viewable member profile data,” LinkedIn said at the time.

According to LinkedIn, no breach of its networks has occurred this time, either: “While we’re still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources,” according to the company’s press statement.  “This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed.  Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected.”

“This time around, we cannot be sure whether or not the records are a cumulation of data from previous breaches and public profiles, or whether the information is from private accounts,” according to Privacy Shark’s blog post, published on 28 June 2021.  “We employ a strict policy of not supporting sellers of stolen data and, therefore, have not purchased the leaked list to verify all of the records.”

There are 200 million more records available in the collection this time around, so it is probable that new data has been scraped and that it is more than a rehash of the previous group of records, researchers added.[1]

The good news is that credit-card data, private message contents and other sensitive information is not a part of the incident, from Privacy Shark’s analysis.  That’s not to say there aren’t serious security implications though.  “The leaked information poses a threat to affected LinkedIn users,” according to Privacy Sharks. “With details such as email addresses and phone numbers made available to buyers online, LinkedIn individuals could become the target of spam campaigns, or worse still, victims of identity theft.”

It added, “expert hackers may still be able to track down sensitive data through just an email address.  LinkedIn users could also be on the receiving end of email or telephone scams that trick them into sharing sensitive credentials or transferring large amounts of money.”

Then there are brute-force attacks to be concerned about:  “Using email addresses provided in the records, hackers may attempt to access users’ accounts using various combinations of common password characters,” researchers warned.   The data could be a social-engineering goldmine.  Attackers could simply visit public profiles to target someone but having so many records in one place could make it possible to automate targeted attacks using information about users’ jobs and gender, among other details.

“It is not uncommon to see such data sets being used to send personalized phishing emails, extort ransom or earn money on the Dark Web, especially now that many hackers target job seekers on LinkedIn with bogus job offers, infecting them with a backdoor trojan,” Candid Wuest, Acronis vice president of cyber-protection research, said via email at the time of the first data-scraping incident.  “For example, such personalized phishing attacks with LinkedIn lures were used by the Golden Chickens group.”

Once again, I wonder who will be contacting me on LinkedIn with a great opportunity to connect, visit URLs and open attached PDF’s.  This looks like a great time to consider working with a phishing simulation and training organization, before your employees fall for any of the usual tricks.  Red Sky Alliance has continued to partner with companies that can help protect our clients, members and readers.  Please visit https://www.wapacklabs.com/phinsecurity for an inexpensive way to protect your organization.

At Red Sky Alliance, we can help INFOSEC teams with services beginning with cyber threat notification, analysis and complete elimination of cyber threat from both the inside and outside of networks.  Our analysts will be happy to hold a brief call with your team members to help them better prepare for cyberattacks, malware and ransomware.  And what if this call led to savings in current duplicated services and forecasted need for additional personnel? 

Red Sky Alliance is in New Boston, NH   USA.     We   are   a   Cyber   Threat   Analysis   and   Intelligence Service organization.     For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

Interested in a RedXray subscription to see what we can do for you?  Sign up here: https://www.wapacklabs.com/RedXray   

 

 

[1] https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!