An unknown individual was recently reported to be offering the personal data of 500million LinkedIn users for sale on a popular cybercriminal forum. The files contain key information including their full names, email addresses, phone numbers, workplace information, employment history and additional personal details. The threat actor was auctioning the database for at least a 4-digit sum.
Although the criminal claims to have scraped the data from LinkedIn, LinkedIn themselves deny having suffered a data breach as such. Rather they believe the files were compiled from publicly available sources with additional details cross-referenced from several other websites and company resources.
Another threat actor then subsequently offered to sell a total of 827million records that he claimed included the original LinkedIn 500million plus another six more archives containing details of another 327million people. The asking price for these files was set at $7,000 worth of bitcoin. Some may have been duplicates since LinkedIn only claims to have 740million users.
There have been several previous incidents in which data has been scraped from a variety of sources and then ‘packaged’ together to be sold on. However obtained, the aggregated data can be used to support subsequent attacks like credential stuffing, phishing, spamming, social engineering and brute-forcing. Often, passwords can be guessed based on the other available data or by exploring social media posts. Email addresses are one of the most valuable keys however, as they are often the username for personal accounts.
Clever attackers sometimes accumulate data over a period of time, both to avoid detection and to build up an increasingly complete picture of the user that may lead on to even more valuable information.
How to protect your data
As things stand, we are somewhat limited in what we can do to keep our information out of the public domain, but there are some steps we can take and some best practices we should follow. For example, we should keep a closer eye on bank and other online accounts so that fraudulent transactions or mysterious logins can be reported immediately.
There are now a number of special websites that will tell you if your email or phone number has been leaked in a cyber breach. These sites are very helpful because they can usually identify the particular hack and the associated website, enabling you to quickly change your password or close down the account. Two websites to try are https://haveibeenpwned.com/ and https://cybernews.com/personal-data-leak-check/.
You should consider enabling multi-factor authentication (MFA) on accounts that allow it (which most now do). This makes it much harder for anyone to hack your account as they very rarely have access to your actual MFA device – so even with your username, email and password they still won’t be able to access that account.
When using social media, make sure your privacy settings are fully switched on. That should mean your information is not publicly searchable and will only be shared with contacts you approve. That should prevent most unscrupulous people from seeing your date of birth, location, family members and potentially useful snippets of information like pet’s names etc.
Public Wi-Fi is an easy target for cybercriminals, so avoid using it for anything that requires you to transmit financial or personal data. If you have to transfer such data make sure that you use an encrypted Virtual Private Network (VPN).
Apply best practices to password management. Use hard-to-guess passwords and change them regularly. You can consider using a password manager such as KeePass or 1Password to store them and that will allow you to use complex auto-generated passwords without having to remember them.
Following some of the advice above should significantly reduce the chances of your data falling into the wrong hands. The single most effective step is probably to use MFA – this can reduce the chances of account compromise by over 90%.