Personal data from more than 500 million LinkedIn users has been posted for sale online in yet another incident of threat actors scraping data from public profiles and slinging it online for potential cybercriminal misuse.
Hackers posted an archive containing data they said includes LinkedIn IDs, full names, professional titles, email addresses, phone numbers and other personally identifiable information (PII) on a popular hacker forum, according to a [report](<https://cybernews.com/news/stolen-data-of-500-million-linkedin-users-being-sold-online-2-million-leaked-as-proof-2/>) in CyberNews on Tuesday.
The LinkedIn incident comes on the heels of a substantial [leak of personal data](<https://threatpost.com/facebook-accounts-leaked-check-exposed/165245/>) from more than 533 million Facebook users last weekend.
[](<https://threatpost.com/newsletter-sign/>)
The data set also includes links to LinkedIn profiles and other social-media profiles, according to the report. Moreover, to prove the authenticity of the info and provide a teaser of the data inside, the hackers responsible also leaked another 2 million records as a proof-of-concept sample, the report said.
Users on the forum can view the samples for about $2 worth of forum credits. However, the threat actor also appears to be auctioning off the crown jewel of the data-gathering — the 500-million-user database — for at a sum that is at least in the four-digit range, most likely in a Bitcoin equivalent, according to the report.
“As the leaked data contains no payment card details and no passwords, it’s of less value to attackers and won’t sell for much on the Dark Web anyway,” Candid Wuest, Acronis vice president of cyber-protection research, said via email. “However, it does contain valuable personal information (workplace info, email, social account links), which is why it’s not published it for free.”
## LinkedIn Confirms Data-Scraping
LinkedIn officials [confirmed ](<https://news.linkedin.com/2021/april/an-update-from-linkedin>) that data from the platform was included in the database and, like [Facebook officials before them](<https://threatpost.com/facebook-stolen-data-scraped/165285/>), said it was not due to a breach of its system but instead was scraped from the LinkedIn site.
“We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies” that includes “publicly viewable member-profile data that appears to have been scraped from LinkedIn,” the company said in a statement on its website, on Thursday.
“This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review,” according to the post.
Scraping is a common tactic used by threat actors to siphon public information from the internet that can then be sold online for profit and reused for malicious activity. Scraped data is often repurposed to create socially engineered phishing attacks, to commit identity theft, brute-force credentials or spam victims’ accounts, among other nefarious activity.
LinkedIn also echoed Facebook’s comments that any misuse of platform members’ data by scraping violates its terms of service, and said the company will be investigating.
“When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable,” according to LinkedIn’s statement.
It’s unclear at this time if LinkedIn will face regulatory troubles due to the incident, such as being in violation of the [General Data Protection Rule (GDPR)](<https://threatpost.com/gdpr-a-compliance-quagmire-for-now/132644/>). The GDPR is a European Union rule that went into effect in May 2018 that mandates that companies disclose data breaches within a certain period of time or face penalties. Facebook currently faces an investigation by Ireland’s Data Protection Commission (IDPC) over the earlier leak.
CyberNews has posted an [online tool](<https://cybernews.com/personal-data-leak-check/>) so people can check to see if their data was leaked in the most recent LinkedIn incident. If that’s the case, they should be extra-cautious in opening suspicious emails or text messages or links related to messages from senders they don’t recognize.
“It is not uncommon to see such data sets being used to send personalized phishing emails, extort ransom or earn money on the Dark Web – especially now that many hackers target job seekers on LinkedIn with bogus job offers, infecting them with a backdoor trojan,” said Wuest. “For example, such personalized phishing attacks with LinkedIn lures were [used by the Golden Chickens group](<https://threatpost.com/linkedin-spear-phishing-job-hunters/165240/>) last week.”
_**Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a [FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>), “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. [Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>) for the Wed., April 21 LIVE event. **_
{"id": "THREATPOST:57449A00180158BC0B9FF3FEBA1B4CD8", "type": "threatpost", "bulletinFamily": "info", "title": "Data from 500M LinkedIn Users Posted for Sale Online", "description": "Personal data from more than 500 million LinkedIn users has been posted for sale online in yet another incident of threat actors scraping data from public profiles and slinging it online for potential cybercriminal misuse.\n\nHackers posted an archive containing data they said includes LinkedIn IDs, full names, professional titles, email addresses, phone numbers and other personally identifiable information (PII) on a popular hacker forum, according to a [report](<https://cybernews.com/news/stolen-data-of-500-million-linkedin-users-being-sold-online-2-million-leaked-as-proof-2/>) in CyberNews on Tuesday.\n\nThe LinkedIn incident comes on the heels of a substantial [leak of personal data](<https://threatpost.com/facebook-accounts-leaked-check-exposed/165245/>) from more than 533 million Facebook users last weekend.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe data set also includes links to LinkedIn profiles and other social-media profiles, according to the report. Moreover, to prove the authenticity of the info and provide a teaser of the data inside, the hackers responsible also leaked another 2 million records as a proof-of-concept sample, the report said.\n\nUsers on the forum can view the samples for about $2 worth of forum credits. However, the threat actor also appears to be auctioning off the crown jewel of the data-gathering \u2014 the 500-million-user database \u2014 for at a sum that is at least in the four-digit range, most likely in a Bitcoin equivalent, according to the report.\n\n\u201cAs the leaked data contains no payment card details and no passwords, it\u2019s of less value to attackers and won\u2019t sell for much on the Dark Web anyway,\u201d Candid Wuest, Acronis vice president of cyber-protection research, said via email. \u201cHowever, it does contain valuable personal information (workplace info, email, social account links), which is why it\u2019s not published it for free.\u201d\n\n## LinkedIn Confirms Data-Scraping\n\nLinkedIn officials [confirmed ](<https://news.linkedin.com/2021/april/an-update-from-linkedin>) that data from the platform was included in the database and, like [Facebook officials before them](<https://threatpost.com/facebook-stolen-data-scraped/165285/>), said it was not due to a breach of its system but instead was scraped from the LinkedIn site.\n\n\u201cWe have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies\u201d that includes \u201cpublicly viewable member-profile data that appears to have been scraped from LinkedIn,\u201d the company said in a statement on its website, on Thursday.\n\n\u201cThis was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we\u2019ve been able to review,\u201d according to the post.\n\nScraping is a common tactic used by threat actors to siphon public information from the internet that can then be sold online for profit and reused for malicious activity. Scraped data is often repurposed to create socially engineered phishing attacks, to commit identity theft, brute-force credentials or spam victims\u2019 accounts, among other nefarious activity.\n\nLinkedIn also echoed Facebook\u2019s comments that any misuse of platform members\u2019 data by scraping violates its terms of service, and said the company will be investigating.\n\n\u201cWhen anyone tries to take member data and use it for purposes LinkedIn and our members haven\u2019t agreed to, we work to stop them and hold them accountable,\u201d according to LinkedIn\u2019s statement.\n\nIt\u2019s unclear at this time if LinkedIn will face regulatory troubles due to the incident, such as being in violation of the [General Data Protection Rule (GDPR)](<https://threatpost.com/gdpr-a-compliance-quagmire-for-now/132644/>). The GDPR is a European Union rule that went into effect in May 2018 that mandates that companies disclose data breaches within a certain period of time or face penalties. Facebook currently faces an investigation by Ireland\u2019s Data Protection Commission (IDPC) over the earlier leak.\n\nCyberNews has posted an [online tool](<https://cybernews.com/personal-data-leak-check/>) so people can check to see if their data was leaked in the most recent LinkedIn incident. If that\u2019s the case, they should be extra-cautious in opening suspicious emails or text messages or links related to messages from senders they don\u2019t recognize.\n\n\u201cIt is not uncommon to see such data sets being used to send personalized phishing emails, extort ransom or earn money on the Dark Web \u2013 especially now that many hackers target job seekers on LinkedIn with bogus job offers, infecting them with a backdoor trojan,\u201d said Wuest. \u201cFor example, such personalized phishing attacks with LinkedIn lures were [used by the Golden Chickens group](<https://threatpost.com/linkedin-spear-phishing-job-hunters/165240/>) last week.\u201d\n\n_**Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a [FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>), \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. [Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>) for the Wed., April 21 LIVE event. **_\n", "published": "2021-04-09T14:06:24", "modified": "2021-04-09T14:06:24", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/data-500m-linkedin-users-online/165329/", "reporter": "Elizabeth Montalbano", "references": ["https://cybernews.com/news/stolen-data-of-500-million-linkedin-users-being-sold-online-2-million-leaked-as-proof-2/", "https://threatpost.com/facebook-accounts-leaked-check-exposed/165245/", "https://threatpost.com/newsletter-sign/", "https://news.linkedin.com/2021/april/an-update-from-linkedin", "https://threatpost.com/facebook-stolen-data-scraped/165285/", "https://threatpost.com/gdpr-a-compliance-quagmire-for-now/132644/", "https://cybernews.com/personal-data-leak-check/", "https://threatpost.com/linkedin-spear-phishing-job-hunters/165240/", "https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar", "https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar"], "cvelist": [], "immutableFields": [], "lastseen": "2021-04-09T15:54:31", "viewCount": 68, "enchantments": {"dependencies": {"references": []}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "nessus", "idList": ["FREEBSD_PKG_810DF820366411E18FE300215C6A37BB.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366"]}]}, "exploitation": null, "vulnersScore": 0.5}, "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659749172}}