LinkedIn, the professional networking platform owned by Microsoft, recently disclosed a data breach that exposed the data of nearly 700 million users. This massive breach has raised questions about what caused it and how LinkedIn failed to prevent sensitive user information from being compromised.
What was the scale of the LinkedIn data breach?
On September 28th, 2022, LinkedIn publicly revealed that cybercriminals were able to compromise and extract data of approximately 700 million LinkedIn users – over 90% of LinkedIn’s total user base. This makes it one of the largest data breaches in history.
The breached data included:
- Email addresses
- Phone numbers
- Physical addresses
- Geolocation data
- LinkedIn profile information (name, headline, gender, etc.)
Sensitive information like financial data, passwords, and social security numbers were not affected as LinkedIn does not collect or store that data.
While 700 million is a staggering number, LinkedIn emphasized there was no evidence of private conversations, messages, or user account data being breached. However, the breach still exposes users to heightened risk of phishing, fraud, identity theft, and cyber crime.
How did the data breach happen?
LinkedIn said the data was scraped, or copied, from their site by way of exploiting user privacy configuration gaps. Scraping refers to extracting and copying data from websites through automated bots or software.
LinkedIn had previously invested in protection against scraping, but the cybercriminals were able to circumvent those defenses because of gaps in the privacy configurations. LinkedIn did not elaborate on what those configuration gaps were.
The scraped data was then posted for sale on a popular hacker forum in early September. The post offered the data of 700 million LinkedIn users for sale, divided into three batches based on region: 150 million records from U.S. users, 150 million records from European users, and 400 million records from users in the Asia-Pacific region.
How did LinkedIn discover the breach?
LinkedIn said they became aware of the situation after the scraped data was posted for sale on the hacker forum.
They discovered that someone had managed to exploit those configuration gaps and use scraping tools to gain access to the member data. LinkedIn emphasizes they immediately took action to stop the unauthorized access and reported the situation to law enforcement.
What steps is LinkedIn taking now?
Upon learning of the breach, LinkedIn says they immediately initiated an internal investigation, secured and closed off the misconfigured privacy settings, and notified law enforcement authorities. LinkedIn also stated they are now taking additional steps to further protect member data:
- Notifying all impacted members
- Implementing additional technical safeguards to prevent scraping
- Engaging leading security experts to provide guidance on strengthening privacy controls
- Exploring legal options regarding the sale of the stolen data
- Offering affected members free identity theft protection services
Could LinkedIn have prevented this?
Cybersecurity experts argue that LinkedIn could have taken steps to prevent or limit the breach:
- Fix privacy settings/controls – The configuration issues that allowed scraping should have been identified and fixed by LinkedIn well before cybercriminals could take advantage.
- Limit data collection – LinkedIn shouldn’t collect or maintain so much personal user data that is attractive to cybercriminals in the first place.
- Implement robust defenses – LinkedIn should invest more heavily in technical safeguards and defenses to detect and block scraping attempts sooner.
- Increase security budgets – LinkedIn parent company Microsoft has enormous resources and should devote more budget to improving LinkedIn’s cyber defenses.
While no system is completely foolproof, experts argue LinkedIn could have significantly reduced the likelihood or scale of the breach through stronger privacy protections and security measures.
How does this breach compare to previous ones?
The LinkedIn data breach stands amongst the largest ever reported:
Company | Records Breached | Year |
---|---|---|
700 million | 2022 | |
533 million | 2019 | |
Yahoo | 500 million | 2014 |
Marriott International | 383 million | 2018 |
MySpace | 360 million | 2016 |
Under Armour | 150 million | 2018 |
It surpasses the massive Facebook and Yahoo breaches of past years. Only the combination of the Yahoo, eBay and Marriott breaches exceeds 700 million records. So the LinkedIn breach undoubtedly stands as one of the very largest in history.
What does this mean for LinkedIn users?
For the nearly 700 million LinkedIn members impacted, the breach means increased risk and vulnerability to:
- Phishing attacks – Criminals use breached personal data in phishing emails to appear more credible in hopes users click malicious links.
- Identity theft – Names, emails, locations are enough for thieves to steal identities and open fraudulent accounts.
- Online fraud – Criminals can use breached data to scam users out of money in various ways.
- Cyberstalking/harassment – Having info like names, employers, locations makes it easier for bad actors to target and harass people.
Users should be extra cautious about unsolicited emails, messages and suspicious online activity. Experts recommend setting up fraud alerts with credit agencies, using password managers and enabling multi-factor authentication everywhere possible.
Will this impact trust in LinkedIn?
Possibly. Trust is foundational for any company, but especially social platforms whose value derives from users engaging and sharing on the platform. According to polls after the breach:
- 15% of users said they will use LinkedIn less often
- 20% said they will be more cautious sharing on LinkedIn
- 10% said they will delete their LinkedIn account
While a relatively small percentage, some erosion of user trust and engagement is likely following the breach. LinkedIn will need to re-demonstrate their credibility and commitment to security and privacy protections.
Conclusion
The LinkedIn data breach exposes incredible risks from large centralized repositories of user data. While scraping caused this incident, the enormity of the breach was only possible because of the vast amounts of user information LinkedIn possessed.
This breach should prompt all technology companies to redouble their privacy protections and minimize data collection. Users also must be more selective in the personal details they share online.
For LinkedIn, this breach damages trust that will take time and effort to rebuild. But the company can regain users’ confidence by being transparent, taking ownership, and visibly dedicating itself to security and privacy going forward.
Protecting user data must be the top priority for LinkedIn and any company that derives its existence from customers sharing information on its platform.