June 2021: "TomLiner" sells 700 million LinkedIn data

In June 2021, a massive data leak shook LinkedIn when it emerged that data from a staggering 700 million profiles – approximately 92 percent of the platform's users at the time – had been systematically collected and offered for sale on a dark web forum. An actor known as "TomLiner" was behind this extensive [Internal Link Placeholder] attempt. Although LinkedIn emphasized that it was not a traditional [Internal Link Placeholder], but rather a collection of publicly available data combined with information from third parties, the incident triggered an intense debate about online privacy, data security, and the digital vulnerabilities associated with our online presence. The enormous dataset included names, phone numbers, [Internal Link Placeholder] addresses, and even geolocation data, exposing the risk of misuse of this personal information, including potential [Internal Link Placeholder] and [Internal Link Placeholder], even if individual pieces of data were public.

April-June: "TomLiner" exploited LinkedIn's API flaw

This crisis in June 2021 was an escalation of a problem that had already manifested in April of the same year, when "TomLiner" offered a dataset from 500 million LinkedIn users for sale. The method used was "scraping," where automated software systematically extracts data from websites. By combining scripts and exploiting LinkedIn's own API – an interface intended for controlled data sharing with third parties – the hacker managed to bypass the platform's built-in limitations on search and profile viewing. A free sample package of one million profiles quickly confirmed the data's authenticity and the alarming extent of the leak, causing a stir in the security industry and among LinkedIn users. LinkedIn's assurances that no private data was compromised and that it was exclusively public information supplemented from other sources were met with skepticism. Critics pointed out that the LinkedIn API vulnerability that enabled the extensive scraping had potentially existed since 2017, and that the response to the initial data leak in April had been inadequate.

Technical method: LinkedIn's API and industrial scraping

Technically, this [Internal Link Placeholder] attack involved an advanced exploitation of LinkedIn's API to automate data extraction on an [Internal Link Placeholder] scale. Although the API was designed to give developers controlled access to public data, a design flaw allowed attackers to bypass established limitations. The scraping process itself consisted of several steps: First, systematic searches identified public profiles. Then, data was automatically extracted by bots programmed to mimic human behavior on the [Internal Link Placeholder]. This collected data was subsequently aggregated, possibly enriched with information from other data sources, and finally cleaned and structured for sale on the digital black market. The result was a detailed "data puzzle" that, even without financial information, created a significant risk of [Internal Link Placeholder] and other forms of digital [Internal Link Placeholder].

Consequences: From phishing to advanced espionage

The consequences of this data leak were extensive. Although sensitive financial data was not compromised, the enormous amount of personal and professional information provided a perfect basis for advanced social engineering attacks. Phishing campaigns, often via sophisticated [Internal Link Placeholder] solicitations, could now be targeted with unprecedented precision, as attackers exploited information about job titles, company affiliations, and professional networks to create convincing fake communications. A concrete example was fake recruitment emails designed to exploit career ambitions to distribute [Internal Link Placeholder] or [Internal Link Placeholder]. Companies also became vulnerable, as leaked employee profiles could reveal internal organizational structures and key personnel, opening the door for targeted corporate [Internal Link Placeholder]. A subsequent study showed that 68% of affected companies registered an increase in phishing attempts, particularly against senior employees, underscoring the risk of [Internal Link Placeholder], potential [Internal Link Placeholder], and other [Internal Link Placeholder].

Legal dilemmas: GDPR, HiQ case, LinkedIn responsibility

The leak of 700 million LinkedIn profiles brought sharp focus to the legal and ethical dilemmas surrounding data collection, protection, and the risk of unauthorized [Internal Link Placeholder]. The EU's General Data Protection Regulation (GDPR) became central to the debate, and supervisory authorities questioned LinkedIn's ability to protect against scraping, the company's lack of transparency about risks, and its unclear communication regarding the exploited API vulnerability. The case mirrored the complexity of the long-running HiQ Labs case (2017-2022). In that case, a court ruled that scraping publicly available data is not necessarily illegal under certain U.S. laws, but also emphasized the importance of ethical considerations. The HiQ Labs ruling contributed to platforms like LinkedIn subsequently tightening their user terms and increasing investments in technologies to detect and block malicious bot activity and other forms of [Internal Link Placeholder].

LinkedIn's response: Improved security and user advice

As a direct consequence of this data leak, LinkedIn has implemented several improvements to strengthen the platform's data security. These measures include real-time detection of scraping activities using machine learning, rate limiting for the API, stronger authentication, including two-factor authentication for API access, and pseudonymization of certain profile fields to make aggregated datasets less directly identifiable. For users, the incident underscores the importance of digital diligence. Security experts continue to advise LinkedIn users to regularly review their profile visibility settings, use unique and strong [Internal Link Placeholder], enable multi-factor authentication where possible, and critically assess unsolicited communications – especially those that seem tailored based on information shared on the platform and could be phishing or [Internal Link Placeholder] attempts.

Lessons from 2021: Visibility vs. digital self-defense

The 2021 LinkedIn data leak stands as a stark reminder of the inherent balancing act on professional [Internal Link Placeholder] platforms: the desire for visibility and networking versus the critical need to protect one's online privacy. Although LinkedIn characterized the incident as "only" scraping, it clearly demonstrated how even publicly available data can pose serious security risks and lead to [Internal Link Placeholder] when collected and aggregated on a large scale. For companies, the case underscored that API security is as crucial as protecting internal networks from [Internal Link Placeholder]. For individual users, the incident cemented the necessity of constant digital awareness and proactive measures to protect one's online identity in a digital age where the lines between professional and personal life often blur.

Sources:

• indiatoday.in
• malwarebytes.com
• inverse.com
• securitymagazine.com
• therecord.media

Interested in cybercrime and data security? Follow KrimiNyt for in-depth analyses of the biggest digital threats and cases.