LinkedIn confirmed that it was not a victim of a data breach

LinkedIn has formally denied that the recently disclosed data leak was caused by a security breach, data were obtained via web scraping.

LinkedIn has issued a formal statement to deny that the recent leak that exposed the account details of more than 500 million of its registered users was caused by a security breach.

A threat actor has put for sale on a popular hacker forum an archive containing data purportedly scraped from 500 million LinkedIn profiles, with another 2 million records leaked as a proof-of-concept sample by the post author.

The four leaked files contain information about the users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more. 

Users on the hacker forum can view the leaked samples for about $2 worth of forum credits, the threat actor was auctioning the much-larger 500 million user database for at least a 4-digit sum, worth of bitcoin or other cryptocurrencies.

Samples analyzed by CyberNews contain a variety of mostly professional information from LinkedIn profiles, including:

• IDs
• Full names
• Email addresses
• Phone numbers
• Genders
• Links to LinkedIn profiles
• Links to other social media profiles
• Professional titles and other work-related data

This data can be used by threat actors to conduct multiple malicious activities, including:

• phishing/spear-phishing attacks.
• conduct spam campaigns.
• use the credentials of LinkedIn profiles to conduct bruteforce attacks

LinkedIn has now released a statement that confirms that the leaked data only included public information that was obtained by threat actors through web scraping activity from a number of websites and companies.

“We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies. It does include publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.” reads an update published by the company. “Any misuse of our members’ data, such as scraping, violates LinkedIn terms of service. When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.”

Sadly, the same news outlets caused undue damage to a second company days later when they also published strongly-worded articles claiming that audio conversations app Clubhouse also got hacked.

During the weekend, researchers from Cyber News have discovered that the personal data of 1.3 million Clubhouse users were also leaked online.

The experts found an ad on a hacker forum offering for free a SQL database containing 1.3 million scraped Clubhouse user records.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]