Hackers used LinkedIn's official API to leak tons of data... again

LinkedIn is leaking again. The least-cool social network known to mankind suffered a massive data breach this week, affecting some 700 million users — more than 90 percent of the network’s overall user base. The entire collection of data is up for sale on the dark web, including phone numbers, physical addresses, geolocation data, and even inferred salaries. Cool stuff.

A report from RestorePrivacy posits that the hacker in this instance used the official LinkedIn API to download the data, which has now been posted on various dark web forums for sale. A very similar method was used to collect data from more than 500 million accounts back in April.

The report claims the LinkedIn data is legit; the hacker posted a sample of the data for reference, with about a million LinkedIn users’ information included. RestorePrivacy found the data to be authentic, tied to real users, and up-to-date. Which means any and all of that data could be used to carry out a number of unsavory attacks, ranging from coordinated phishing scams to all-out identity theft.

This is by far the largest LinkedIn hack ever, if all 700 million records are real. It’s nothing short of damning for LinkedIn — especially given that it’s the same method used months ago in another hack.

An official backdoor — Hacks are essentially unavoidable in 2021. The internet is progressing at such a rapid pace that even the most high-profile internet infrastructure can be swiftly compromised, with the right tools in-hand.

But not all hacking is created equally. This LinkedIn hack should have been particularly avoidable, given that it is LinkedIn’s own API that allowed this breach to happen. There’s a special place in internet hell for companies that fail to protect users from the failures of their own technology.

Time to step up — The April LinkedIn data leak could be (somewhat) excused; perhaps the company did not fully understand the problems with its API that led to the initial attack. At the time, LinkedIn released a short statement:

Any misuse of our members’ data, such as scraping, violates LinkedIn terms of service. When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.

In typical corporate fashion, this angle pushes the responsibility off of LinkedIn and onto the attacker(s). LinkedIn did not want to hold itself at all culpable for the data scraped from its site. Now it’s happened again, with more personal data, because LinkedIn failed to improve its API’s security after the first attack.

We can only hope LinkedIn takes this new attack more seriously than it did the April leak. We’ve reached out to LinkedIn for comment and will update our story accordingly.