A hacker created a database of information scraped from 700 million LinkedIn users after tricking the company’s API and used the same technique to create a database on 533 million Facebook users.
The hacker, who calls himself Tom Liner, told the BBC that it took several months to hack Linkedin’s API and he is selling user data from the platform to multiple customers for around $5,000. Though he wouldn't tell the BBC who his customers are, or why they would want this information, he says the data is likely being used for further malicious attacks.
Last month, it was reported that a LinkedIn scraping exposed the data of 700 million users – some 92% of all those on the service. The data included location, phone numbers, and inferred salaries.
"While social media platforms are standing firm that these scraping incidents are not data breaches, the compiled data sets have clear privacy impacts for end users. It remains to be seen if there will be repercussions for organizations resulting from privacy regulation like GDPR. A single piece of data by itself may not be classified as private, but this classification quickly changes as data is correlated or identity of an individual can be inferred," says Michael Isbitski, Technical Evangelist at Salt Security, a Palo Alto, Calif.-based provider of API security.
He adds, "The resulting API request traffic on social media platforms realistically numbers in the trillions over even a brief period. Identifying cases of malicious scraping in that traffic is akin to finding a needle in a haystack. Without the aid of cloud-scale data storage, data analytics, machine learning, and behavior analysis, detection of stealthy scrapers requires a great deal of luck. Absent the aid of machine-driven detection and protection, user data is inevitably scraped, compiled, posted online, and resold to malicious parties. The scraped data is useful to attackers for a range of other attack techniques including credential stuffing, brute forcing, phishing, social engineering, and more."