A few years back Hotmail/Outlook were returning people's Twitter/LinkedIn handles for emails sent/received. It had been noticed you could scrape that fairly easily at scale. With one email account you could check up to 30000 email addresses before being flagged by Outlook.
Slightly longer ago you could simply iterate 1...n on LinkedIn URLs to find someone's profile, by converting the number to base12, you'd be redirected to the person's public URL.
Also their bulk contact upload. Take any data leak of email addresses, bulk upload them as contacts and then correlate email addresses to social profiles.
Facebook, Twitter and LinkedIn are all bad in that regard on the last method, though Facebook at least do not return people's URLs along with your contact upload (you're expected to know the person's face/name to decide whether you'd want to connect). The take away is that once you sign up, whatever information you put on your profile/account is pretty much available to anyone who wants it enough - and clearly there are plenty bad actors who want it. Obviously these social networks want to expand their network, but they also make it much more easy for data harvesting at unprecedented scale.
> Also their bulk contact upload. Take any data leak of email addresses, bulk upload them as contacts and then correlate email addresses to social profiles.
This is one of those functionality aspects all these social/networking sites fall foul of one way or another, be email or phone number relational suggestions. That and the aspect of this scraping of phone numbers or emails - even with the users permission, kinda moots the owner of those email and phone details. But does seem that once you give anybody your email or phone number, it kinda one way or another falls into the public domain level of privacy. Heck how many contact details via email or phone numbers do these sites hold on people who never even held an account with them.
Be nice if the law and data privacy had some global standards as this region/country by country aspect does nobody any good and in a World in which taxation works with the same model, do we really want to let data protection end up with data havens in much the same way as tax does.
Agreed. One of the poorer aspects of those 'functionalities' is friends of friends details get added, i.e. sharing your phone contacts or email contacts. There's people not on those networks that have a definite amount of information about them on there anyway.
> He claims the data was obtained by exploiting the LinkedIn API to harvest information that people upload to the site.
> our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed.
If the attacker is telling the truth, Then somehow the attacker has gained access to privileged API of LinkedIn which gives out more fields than those listed in the official LinkedIn API doc[1].
If LinkedIn is telling the truth, Then the source of breach is most likely one of the many data brokers who have been breached several times in the past[2].
FWIW, I've been scrubbing my social profiles. LinkedIn, Yelp, Facebook, etc.
Barest of bones. Removing all connections, photos, posts, personal details. (I know the damage is already done. The aggregators never really delete anything.)
Why not just out right delete my profiles? I'm squatting. To ensure they're not used as socket puppets.
After a beloved coworker passed, their profile got highjacked. Ten years later, I'm still so angry about it that I could just spit.
I’ve been doing the same. The potential downside risk of having LinkedIn/Facebook/Instagram profiles just keeps growing and growing. I’m a complete ghost on the Internet. I have Google alerts set up for my names and email addresses, and I regularly attempt to docs myself to find any leaks. I also can’t understand why anyone in the public eye doesn’t completely sanitise their social media profiles. The amount of people brought down by 10 year old stupid tweets is insane.
I was going to ask if you said "docs" as in "doxxing" [0] but then a quick Wikipedia search got me to the etymology [1] of "doxxing" which comes from "docs" as in "documents"! TIL
This. The best way to erase social media is to replace the account with a bunch of BS. Most of these companies are too cheap and Zucker's "move fast" culture probably doesn't involve database record versioning. Also because it's expensive. The old
SET _deleted_=1 is pretty much their main ace in the hole to f*k you. Hell, even if they do versioning, just keep filling the profiles with enough noise and they won't be able to filter it all out unless they somehow index and data warehouse your profile from the decrepit old backup. At that point, you are just hoping their schema changes, the logistics, and their bad practices are enough to prevent that from being cost efficient.
I saw someone on here had a program that went in your profile and rewrote all posts with garbage data before you deleted it. Like for Facebook, Twitter, Discord, etc. That way you know their database is filled with junk data. I'd really like to know what that was again so I could peak at it in case I ever wanted to do that.
I had someone do that to me when I've been -still alive-... just posting the weirdest shit right on other people's pages after adding a bunch of my friends for a cheap laugh.
It was literally just some idiot binging on drugs who thought it was really funny until i ran over to his place and kicked his door in. I had people ask me what the hell that was about for YEARS afterwards. How do you explain to all these people at parties or whatever that you just happen to know stupider people than they do?
> I'm squatting. To ensure they're not used as socket puppets.
Good idea. I've noticed more of those popping up. My wife has an Instagram impersonator that constantly spams some kind of essential oils crap or other beauty product snake oil.
I would do this, but my data has been up in social media long enough that I don't believe it makes a significant difference if I superficially "delete" it now. Maybe I'm wrong?
At this point, I just don't add anything new. If they're going to host my content ad infinitum, I might as well use their storage space and bandwidth.
I guess it probably would be worth ditching LinkedIn. There's no good reason why a [worthwhile] prospective employer would require it.
Sort of. Data that is 5+ years old is pretty stale. How many things don't change over that period of time and how can you be sure that they haven't changed? The most valuable things are phone numbers and email addresses. We expect those to be maintained so we can re-establish contact with old friends.
But if you made it a thing to daily post fake things so that the activity looks normal, can you eventually convice the social overlords you are someone else?
Relocate yourself to another city/state/country in your profile. Daily make posts about things occurring in that new location. Make those posts in sync with local time. Of course using a VPN endpoint that correlates.
Why don't you support anything made by Google or Apple?
At this time, we are reliant on both Google and Apple to be listed in their respective app stores. As such, we have been advised that in order to remain in good standing we should not offer support for these services.
How do you scrub your Facebook profile? There aren’t good tools for it. Facebook itself only lets you do it one post at a time in their activity log. Their constant design changes have broken extensions that used to help you do it (https://chrome.google.com/webstore/detail/social-book-post-m...)
I received message on WhatsApp from someone claiming to be my LinkedIn contact, I asked how that person got my mobile number and was told my number is visible on my profile.
I didn't remember ever adding my number there, So I dug around to find that LinkedIn published my phone number to all my contacts when I uploaded it for 2FA (LinkedIn didn't have TOTP that time. You needed to have premium account to prevent it from being shown to contacts. I removed the 2FA until LinkedIn got TOTP.
LinkedIn IMO[1] has received far less scrutiny on its practices and content when compared with other social networks while having disproportionately large influence on professional life.
Even if you don't considered inferred salary directly tied to you as "personal data," surely you consider geo location personal data?
Also, aren't you even slightly outraged that you can't even download data that has been hacked and released into the wild?
Or outraged by the fact that you can only download data you have given directly to a service provider, but that the service provider will happily tell 3rd parties about your shadow profiles?
>When we don’t have member-submitted data, salary insights are inferred using data between similar companies, job titles, location, and other job attributes.
With enough "job attributes", you can easily tie things down to an individual: who worked as <position> at <company> in <city> from <start_date> to <end_date>, doing <job_description> with <colleagues>?
The biggest issue: you cannot not give them your personal data that they then loose.
Let me contribute with an anecdote from yesterday (slightly off-topic but I promise to get around to it at the end). So just yesterday I needed to create a Microsoft account to try out Teams which is supposedly free. (I have avoided it so far, but my GF has been asked to use it for an interview and we wanted to do a tech test run before). Of course, the UI on the website assumes (!) that you already have a Microsoft account. It will let you create a Teams account that will fail the login if you do not have a Microsoft account and then sends you around in a Byzantine loop without telling you: Look you need a Microsoft account to use Teams. It looks to me as it just creates a shallow alias or something without root reference. This is dark patterns all over the place.
Anyway, a bit more on topic, I am course using my spam email for this account, but then they ask for my phone number. This is really an issue, because except if I get a burner phone, my personal data is linked with an account of a company I do not trust. After witnessing then how bad teams is almost 1.5 years after everyone is working remotely, (wow their web client does not allow you to share webcam and a window/screen at the same time, while their native client makes it super hard to share content while still seeing the people who you present to), I realised
1. How privileged I am not having to use Microsoft products (need to remember to charge extra, whenever asks me do a job that involves Microsoft products)
2. How anti-competitive Microsoft still is (you cannot login to Teams, MS web auth, in Chromium incognito mode, and it needs a ton of cookie domains whitelisted, even then it does not work)
3. How (and this is not Microsoft specific) difficult it is to not hand over personal data to companies that provide a utility-like service that they pretend is free (so everybody can pretend they are inclusive when they use these services)
4. An then literally a day later it turns out I am not paranoid not trusting Microsoft (and I guess other companies, big or small) with my data, because they are going to loose it sooner or later.
Edit: I just logged back into this MS account. They dont even use the phone number as "2FA". They only send you a text when you register, not for subsequent logins. It looks to me as they just collect it to make sure they really have some personal data to loose..
Microsoft authentication is terrible. It breaks at random times with misleading error messages (telling you that TFA failed for example, when in fact it’s one of their servers is down). Sometimes it just times out or goes into a loop until you close the page or clear cookies. And authentication for teams on Safari doesn’t work at all, even though the rest of Office works fine.
The generous interpretation is that they need a way to give people something free while avoiding giving bots/spammers something free. You could point to CAPTCHA as a way to do this anonymously, but as far as I can tell, CAPTCHA has largely been broken by successful machine learning algos (most of the web scraping services I have seen offer "free CAPTCHA defeat" as a perk of buying their service).
I'm curious enough to ask the question - having read the article and seen what data was leaked - isn't this "leaked data" the very same data that Linked In is selling to users as part of its Premium Offering?
Many of you may not know, But most recently, even Domino's Pizza (India) had a breach and they kept denying it ever happened until the hackers finally made a search engine where anyone could search through the entire database. And Domino's finally released some statement in some obscure part of their website. NONE of the users who were affected were notified directly. Many even don't know that this happened. What's worse is the data contained your precise house location and location data in general with co-ordinates. So, the hackers know your phone, your address, where you live, where you go to, been to and how much you're actually worth. It has been claimed financial data (credit cards) were stolen as well, but Domino's denies it till date and of course no one should trust them, given their history.
So, in essence, this LinkedIn breach is also the same to me. Companies literally make you an attack target for hackers and don't even bother telling you. I don't know about you guys, I haven't received a single email from LinkedIn about this yet. How can we combat this dangerous behaviour of companies hiding their incompetencies from their customers? I thought of litigation and I almost sued Domino's, but who am I kidding? These cases could go on for years while they keep making people attack targets of hackers. And add to that corruption, and other variables. I don't know of what could be done to such companies. Boycotting helps, but imagine, more than half your customers don't know why the rest are boycotting and that's in your favor.
But is this really a problem? LinkedIn is "advertising for yourself", presumably to get a job. With the exception of my phone number, I'm ok with the world knowing this information about me. It's the equivalent of a phone book and I'm putting myself out there and advertising myself in the hopes of getting a job.
if you look at the sample image there are data points like "inferred salaries", "inferred years of experience", number of connections (and possibly other stuff) that somebody may or may not have wanted to advertise to the universe.
the leaking of semi-public data (over which we may have some control) alongside "inferred bits" and behavioral data (over which we don't) and combined with other legally or illegally obtained sources means that individuals are facing an information environment where long held assumptions about who knows what no longer hold.
lots of people still don't seem to realize what a crushing downgrade it is in all senses (economic, social, political) to be a transparent, mined entity with no sovereignty
there are many ways to skin this cat if one was motivated enough to put their mind to it... but some suggestions anyway:
never have 700M profiles in one place. decentralization by default - large scale centralization only when absolutely needed and with rigorous controls as a public (or highly regulated) good.
never create portable / tradeable behavioral profiles that can be linked to individuals. what can happen will happen and is happening.
never offer trivial free services in exchange for significant private data. establish a respectful and healthy client/user relation without hidden third parties in the loop
I feel like the lines between a data leak and large scale scraping are getting blurred. At least in their impact for the user. Which is a bad thing as it will support the "so what" attitude that many people have toward their data.
It is a fact that all this data is already being crawled by bot nets.
If all data is leaked at once, this is similar to a large scale successful crawling of the site. At least from a user perspective.
So I get what you are saying. It sounds more dramatic than it actually is.
It is still a massive leak. But from a pool that scummy businesses have been thoroughly scooping from already anyway.
Are these details publicly-available for the scraping though?
I'd be suspicious it was an employee with internal access to the data or someone who had hacked such an employee's computer. Of course they wouldn't admit such criminal act and risk getting caught, they'd claim a route anyone could use.
You can also "hibernate" your account to disable it completely until you log in again. I just did this; my go-forward strategy will be to resurface and collect connections anytime I switch jobs, then hibernate it again when I no longer need it. That way it can serve its only real function of being a face for my job applications, and can be made invisible all other times.
It’s good to hear that it hasn’t affected you personally, but the severity of the leak must be assessed based on the privacy that was reasonably expected by users. LinkedIn has not met their duty to protect their personal information and that alone is enough to say: yes, it’s a problem.
Yeah I agree that LI hasn't done a great job of protecting their data from being misused. But that's the nature of social networks though, data is to be shared in order to build the network. As another commenter said, just don't put in anything you don't want people to find out. Absolute privacy cannot be achieved when you give out your information willingly. To paraphrase WOPR, "the only way to win the game is to not play."
Well I can see your point, but this is not exactly the same.
As a thought experiment imagine that someone now builds a website called Linkedout and they post your profile with a layover animation resembling a big red stamp which reads 'Slacker'. I guess you are not OK with THAT information about you.
I have no problem with people accessing my data, but only so long as it's people who have a valid reason to access that data. In the case of LinkedIn, I don't mind my connections, coworkers, and (reluctantly) recruiters seeing what's on my resume. I do mind a random hacker accessing that information, selling it to anyone who'll buy, and those people then using that data for things that probably aren't related to offering me employment.
The article does not explain what info beyond public profiles had been stolen. You can already google search LinkedIn making this data leak very low impact
That's fair and for many it's not good at all - I was speaking strictly for myself. I didn't link my account to any other social media, nor did I put a phone number on there.
My lord, how many times has this happened to LinkedIn? Fuckin ridiculous. Need some public policy to hold these companies more accountable when this happens, so it will happen less.
If someone merely knowing your phone number is a security risk that really seems like a flaw that should be addressed with the phone system and not by treating the numbers like sensitive information.
There was a time when there were whole books of said numbers and it wasn't a security risk. We've definitely gone wrong with our assumptions somewhere.
I've seen worse. All you need to use a credit card is the number printed on it and still we hand it to strangers to run off with for 3 minutes like nothing.
True, but whether or not it should be or not doesn't change the fact that it is the current state of the US.
And it's not really just the phone number, but the combination of personal info that allows for social engineering - without having the existing customer confirm the transfer.
Feels a bit ackward to admit it nowadays, when nearly every job offer for IT proffessionals requires to provide LI profile link. But stopped using linkedin after first their leak with unencrypted passwords and not informing about it for months.
Microsoft have never exactly had a reputation of security-conscious developments. However you do have a point: building secure software is close to impossible, and that's why we should build software that collects the smallest amount possible of personal information.
This is an excellent question/framing. The security model used in the industry right now is insane and doomed to fail, and yet it is relentlessly pushed forth and defended.
I used to use linked'in@mycustomdomain.com. It (slightly) broke the interface for reasons I won't understand, but I eventually got lazy and changed it to a normal email. The extra page refreshes were driving me crazy. Seems I should have kept it.
I have said it many times before. Unless and until you make companies pay exorbitant amount of money when your data gets stolen from them, the companies will never be serious enough about security. We had the whole Equifax fiasco, and nothing has changed.
Hah, I was just logging into linkedin again after some months, looking at the landing page for a bit (before login). Wasn't aware they let you create accounts with passwords as short as six (!) characters.
I wonder. I definitelly don't have my phone number and e-mail address visible to public (this has a purpose - if someone can find it, it means they at least spent 30 seconds of their life to issue a search query in Google) and I think most people don't as well. But that's the same thing with FB 2019 - my phone number was leaked, but I never made it public. Why would I.
But you're fine because you didn't give them much personal data. Because by now you're perfectly aware of this scenario. So you take your privacy seriously.
Where are all the folks who were complaining about the LinkedIn anti-scraping court case destroying the open web? This is what LinkedIn is fighting against.
Scraping the open web is NOT the same as accessing privileged APIs to collect private information. If LinkedIn made their pages accessible to anyone as a sort of public service (as they used to), people would think twice what data to put on there.
The problem is the same as with Facebook: they pretend the data is private and secure, then let people siphon it away. Public and private networks are both fine, but huge corporations trying to mix both usually end up with the worst of both worlds.
> Where are all the folks who were complaining about the LinkedIn anti-scraping court case destroying the open web? This is what LinkedIn is fighting against.
I find comments of the form "where are all the folks who were complaining..." to be tiresome. Asking "where are all the folks" suggest that "all the folks" don't exist because... you don't see them on Hacker News? ... because ... you want to make a dig at LinkedIn? ... because [reasons]?
Unless I'm missing something (let me know), this comment seems like a rant based on speculation. Why believe a hacker who says they got this from scraping?
I'm not defending LinkedIn, to be clear. I'm asking for more {elaboration, logic, specificity} and less rhetoric in the comments here.
By the time this article is released, the scraped is stale.
LinkedIn is self advertising portal for newer better opportunities and that data is actually in public view and someone is selling it to get me better opportunities it sort of sounds fine..
What would be informational is if so called hacker comes and says how he used the data or the tech stack used.
If I put on my thickest tinfoil hat, I might even think these continuous data leaks are deliberately happening to get users/consumers normalised towards expecting zero privacy or corporate accountability going forward.
This is just basically the data that's publicly available anyway unless you've locked down your profile. That sort of defeats the purpose of LinkedIn though since you're trying to get people to contact you about jobs etc.
I wish LinkedIn would just go away, it's turning less into a job specific site and more of another facebook full of idiotic political posts etc. I'd rather not have to deal with it at all but it seems employers still sort of expect you to use it.
My actual goal with LinkedIn is to be able to search people whom I have worked with that now work with some random company I am curious in now. “Oh, huh, LinkedIn had a leak, who do I know there, oh, they were reasonable people, probably an error then.” I must confess a certain curiosity on the inferred salaries I wonder how accurate they are and if we will see the whole data dump at some point.
Sorry, but looks like vaporware, and the company (Kalo) seems scammy: broken website, no activity for years even when they claim to have raised millions, etc.
It scrolljacks you from the beginning and shows a lot of cartoon characters and trite phrases.
It doesn't even do anything yet but ask me to join a waitlist. This is supposed to replace a social network with 700 million users?! It looks horrible.
A few years back Hotmail/Outlook were returning people's Twitter/LinkedIn handles for emails sent/received. It had been noticed you could scrape that fairly easily at scale. With one email account you could check up to 30000 email addresses before being flagged by Outlook.
Slightly longer ago you could simply iterate 1...n on LinkedIn URLs to find someone's profile, by converting the number to base12, you'd be redirected to the person's public URL.
Also their bulk contact upload. Take any data leak of email addresses, bulk upload them as contacts and then correlate email addresses to social profiles.
Facebook, Twitter and LinkedIn are all bad in that regard on the last method, though Facebook at least do not return people's URLs along with your contact upload (you're expected to know the person's face/name to decide whether you'd want to connect). The take away is that once you sign up, whatever information you put on your profile/account is pretty much available to anyone who wants it enough - and clearly there are plenty bad actors who want it. Obviously these social networks want to expand their network, but they also make it much more easy for data harvesting at unprecedented scale.