Data from over 700 million LinkedIn accounts has reportedly been posted for sale on the dark web. Given that LinkedIn reports that it has approximately 760 million users, this breach affects almost all (92%+) of the platform’s user base. While it currently appears that this data does not include passwords, the data nonetheless includes valuable and sensitive data such as full names, email addresses, phone numbers, physical addresses, geolocation data, social media accounts and user names, and inferred salaries. The hacker who posted the data claims to have accessed the data by exploiting the LinkedIn API (Application Programming Interface) in order to scrape data from the site.
While LinkedIn’s issued statement indicates that it has investigated the hacker's allegations and declares that this is not a data breach and that no private LinkedIn member data was exposed, the fact that passwords are not included in the available data is unlikely to appease users' concerns about this alleged data leak. The types of data (whether scraped or stolen) could still be misused for identity theft by bad actors who could use the data to attempt to impersonate users in order to gain access to people’s accounts (and not just LinkedIn accounts).
The incident is a reminder that whether protected or not, the aggregation of sensitive data is not only attractive to hackers, but also requires a level of ongoing diligence from users to consider how much data of themselves they are willing to give to any single platform.
Nixon Peabody’s Cybersecurity and Privacy Team will continue to monitor developments of this alleged data breach.