display
The entry in the popular hacker forum reads a bit cryptic, but anyone who knows offers like this knows what treasure is on offer here: “LinkedIn Scraped Emails, phone and full 2m profiles” is offered by a newly registered anonymous user;
including a few examples of his offer and the sentence "Also selling 500m Profiles, pm me for price $$$$ minimum".
Translated, this means: The user initially offers two million user data records in the forum, which he has compiled from data from the business social network LinkedIn, as it were as a product sample.
But if you are willing to transfer at least a four-digit dollar sum, you can get the complete data set - the data of 500 million users of the platform.
This mass sale is horror news for privacy-conscious users, as is the case for the group behind LinkedIn, the software manufacturer Microsoft.
For the platform operator, this sale is the second data protection disaster within a week: on Saturday last week, a data thief also offered 500 million data records for sale in another forum, this time from Facebook users, price also a matter of negotiation.
The two cases have one thing in common: both times the perpetrators did not use a classic security breach.
display
Both Facebook and LinkedIn vehemently deny in statements that the perpetrators were able to look around the internal user databases.
Instead, the attackers simply wrote their own program that systematically calls up and copies millions of pages from users and exploits known weaknesses in the process.
In the case of the Facebook leak, for example, the attackers were able to generate phone numbers from a tool that Facebook originally built to find friends via mobile phone numbers.
This hacking method is called scraping, of course it violates the terms of use of the platforms, but it does not represent a classic security breach.
Neither Facebook nor LinkedIn seem concerned
Of course, this does not change the fact that the perpetrators were able to aggregate the data in a way that clearly contradicts the data usage to which the users concerned originally consented.
display
In the LinkedIn case, too, the perpetrators were apparently able to simply call up new profiles again and again with their scraping tool, 500 million times, until they had put together a valuable database.
In the case of LinkedIn, names, email addresses, telephone numbers, the gender of the user, the specified employer and information on the age from the specified educational history are included.
In the case of Facebook, in addition to telephone numbers, there are also dates of birth and places of residence.
It even contained the data of Facebook founder Mark Zuckerberg, and even his phone number was online.
A security researcher promptly found out that Zuckerberg himself uses the Facebook rival Signal.
LinkedIn itself stated in a first statement that the perpetrators had merely collected public data anyway, that they had thereby violated the terms of use and that they were trying to hold them legally responsible.
LinkedIn and Facebook do not address the fact that the perpetrators were apparently able to access millions of profiles within a short period of time without internal systems sounding the alarm and blocking access.
display
The fact that the cases are not caused by a real data leak is only little consolation for the users, whose personal biography details are now summarized in an easily searchable database.
LinkedIn still left open whether users would be informed that their data was affected.
Facebook, on the other hand, pointed out that the data published on Saturday came from a gap from 2019 that has now been closed.
The massive tapping of telephone numbers has been impossible since then.
Therefore, one does not plan to notify the affected users.
The type of data leak is irrelevant
With this stance, however, Facebook is likely to come into conflict with the General Data Protection Regulation (GDPR), at least in the EU.
This is because it stipulates that users must always be notified when data has been leaked to third parties without the users having given their consent.
The GDPR has been in force since 2018.
Whether a real security gap is the basis of the leak, or whether the data thieves only cleverly use the platform functions, is relatively irrelevant from the perspective of data protectionists.
The Irish Data Protection Authority is responsible in the event that Facebook's European headquarters are located in Dublin, Ireland.
Therefore, the Irish announced their own investigation, they could force Facebook to warn at least the European users.
Because the data may all come from the users' public profiles.
At least the phone numbers aren't usually readily available - and they're probably the most valuable part of the leak.
Should the data be sold to phishing fraudsters, they can use it to automatically send personalized phishing emails, for example disguised as a perfectly fitting birthday greeting or an email from the employer.
Thanks to the numbers, they can also call the victims directly and use the known data to simulate an acquaintance.
In the United States, it is also relatively easy to redirect SMS if you know a mobile phone number, name and date of birth of a user.
That does not happen easily in Europe.
Hasso Plattner Institute offers check
If potential attackers have set up such a redirection, they can tap SMS with two-factor pin numbers, which can lead to complete identity theft.
The perpetrators use fake PayPal or banking sites, for example.
display
Anyone who already knows that their data is being sold online is warned, they may react less gullibly, change passwords or email addresses in their accounts and can therefore ward off fraudsters - at least for this reason, at least Facebook's blocking stance to notify those affected is not understandable.
In view of this, if you prefer to check yourself whether your data is already part of a leak, you can use various offers on the Internet for a cross-check.
The Hasso Plattner Institute (https://sec.hpi.de/ilc/) offers a serious offer in Germany with no hidden costs.
According to the site statistics, the institute checks the user's input against reference data from over twelve billion records from over 1200 leaks.
These numbers alone show the scale of the problem that the industry is facing.
It seems that the platform operators have not yet drawn enough lessons from the past: The Cambridge Analytica case, which cost Facebook a fine of five billion dollars in the US, originally resulted from the scraping method.
This is what you should pay attention to when working from home outdoors
The summer temperatures beckon - even during working hours.
If you have a balcony or garden, it is easy for you to move your home office outside.
But what about everyone else?
Source: WORLD / Alina Quast