In April 2022, LinkedIn confirmed that account information from approximately 700 million user accounts had been posted for sale on the dark web. This represented a massive data breach for the professional networking platform.
What data was exposed in the LinkedIn breach?
The data that was exposed in the LinkedIn breach included:
- Email addresses
- Phone numbers
- Physical addresses
- Geolocation data
- LinkedIn usernames
- Genders
- Other social media handles
Sensitive information like passwords and financial data does not appear to have been exposed. However, the breach still exposed a significant amount of personal user information.
How many user accounts were affected?
LinkedIn confirmed that data from approximately 700 million user accounts worldwide was posted for sale online. This represents over 90% of LinkedIn’s user base, which currently sits at over 740 million members globally.
Total LinkedIn users | Users affected in breach |
---|---|
740 million | 700 million |
So the overwhelming majority of LinkedIn members had at least some of their account information exposed in this breach.
How did the breach happen?
LinkedIn said an unauthorized party scraped and aggregated data from a number of websites and companies. It appears the data originated in two incidents:
- Data scraped from LinkedIn in 2012, before LeakedSource’s shutdown
- Additional data scraped from LinkedIn in 2016-2017
This historical LinkedIn member data was then posted for sale online. LinkedIn stressed that this was not a hack or breach of their systems, but rather a aggregation of information obtained from various web scraping operations over the years.
When did LinkedIn become aware of the breach?
According to LinkedIn:
- April 8, 2022: They became aware of the aggregated, publicly available data being sold online.
- April 9, 2022: They commenced investigations into the data contents and validity.
- April 11, 2022: They substantiated specific member data had been scraped and made available for sale.
- April 19, 2022: They completed their investigation and confirmed 700 million accounts were impacted.
So it took LinkedIn approximately 10 days from initial awareness to fully investigate and disclose the breach.
How did LinkedIn notify impacted users?
LinkedIn did not directly notify individual users if they were affected by the breach. Instead, they published a blog post on April 20, 2022 confirming the incident and included information for users to protect themselves.
LinkedIn stated they did not directly notify all 700 million impacted members because they do not want to draw more attention to the data. They did not force password resets, noting that the passwords were not exposed.
What steps did LinkedIn take after the breach?
LinkedIn stated they implemented additional protections after they became aware of the aggregated data, including:
- Increased monitoring of sites hosting the data.
- Demanding takedowns where possible.
- Helping members understand how to protect their data.
However, LinkedIn noted they do not have direct control over the stolen data as it resides on third party sites.
What risks do impacted users face?
While no financial or password data appears to have been exposed, the breach still puts users at increased risk in a few ways:
- Phishing attacks: Criminals could use the exposed personal information in targeted phishing email attacks aimed at LinkedIn users.
- Identity theft: Names, emails, phone numbers could aid identity theft efforts, especially if used in conjunction with info from other breaches.
- Online tracking: Email addresses, usernames and other identifiers could be used to link or track a person’s online footprint across websites.
Users are vulnerable to these risks both now and into the future, as the data genie cannot be put back into the bottle.
What should impacted LinkedIn users do?
LinkedIn recommended users take the following steps to protect their information:
- Be cautious of unsolicited contacts and potential scams.
- Avoid clicking on suspicious links.
- Use unique passwords on every account.
- Turn on two-factor authentication.
- Report suspicious activity to LinkedIn.
Enabling two-factor authentication is probably the single most impactful step users can take to improve login security.
Could LinkedIn have prevented this?
It’s unlikely LinkedIn could have fully prevented this aggregated data being scraped and sold online, for a few reasons:
- The data was aggregated from various historical scrapes, not a new breach.
- Much of the scraping likely occurred prior to LinkedIn awareness.
- Web scrapers frequently evolve tactics to evade detection.
That said, LinkedIn could potentially have detected the scraping more quickly and mandated additional user privacy protections. Critics argue social media companies often prioritize growth over privacy and security.
How does this breach compare to others?
The LinkedIn breach impacts over 700 million accounts, making it one of the largest personal data breaches on record globally. For comparison:
- Facebook: 533 million users impacted in 2019 breach
- Yahoo: All 3 billion accounts breached in 2013-14 incident
- Marriott: 500 million guests impacted in 2018 breach
- Equifax: 147 million impacted in 2017 breach
So by number of user accounts exposed, the LinkedIn breach surpasses many of the most severe breaches of the past decade.
Breach | Accounts impacted |
---|---|
700 million | |
533 million | |
Yahoo | 3 billion |
How has the LinkedIn breach impacted trust?
Major security incidents like this LinkedIn breach almost always negatively impact consumer trust, both of the specific company involved and the wider tech industry.
However, LinkedIn is unlikely to suffer massive user losses, given the reality that many professionals rely on the platform for networking and job opportunities. While users may be more cautious sharing personal data, LinkedIn’s core value proposition remains intact.
At the minimum, the LinkedIn breach highlights the enduring risks of storing vast amounts of personal data online and the need for eternal vigilance from tech platforms.
What long-term fallout may occur?
Looking ahead, the long-term fallout from the LinkedIn breach could include:
- Increased scrutiny and regulation around data privacy and protections.
- Heightened awareness and caution from users about sharing info online.
- Class action lawsuits seeking damages for those impacted.
- LinkedIn proactively tightening security defenses.
But the sheer size of the breach makes it unlikely LinkedIn will emerge unscathed reputationally. Only time will tell if new data-sharing habits or regulations arise.
Conclusion
The LinkedIn data breach exposed sensitive personal information from 700 million user accounts – the platform’s vast majority. While concerning, LinkedIn acted promptly to investigate the incident and advise users on protective steps. Ongoing vigilance is required, both from LinkedIn and other tech firms, to identify emerging threats and minimize the data available for malicious exploitation.