Millions Of Leaked LinkedIn Records Could Pose A Risk to Law Firms
A security researcher has discovered that user information for around 60 million LinkedIn members has been made available on eight unsecured databases. While some of the information revealed is publicly available, some of it, such as email addresses, is not.
Computer help site BleepingComputer.com was contacted by Sanyam Jain of the GDI Foundation, a non-profit organisation devoted to defending the free and open internet by trying to make it safer. Jain told Lawrence Abrams, creator and owner of BleepingComputer, that he had spotted unsecured databases containing LinkedIn data appearing and disappearing from the internet under different IP addresses.
Sanyam Jain said:
“According to my analysis the data has been removed every day and loaded on another IP. After some time the database becomes either inaccessible or I can no longer connect to the particular IP, which makes me think it was secured. It is very strange.”
The eight databases identified contained approximately 60 million records of apparently scraped LinkedIn information.
To demonstrate the problem, Jain pulled Abrams’ own LinkedIn record from one of the databases. As well as the usual LinkedIn profile information, Abrams’ email address was included, which Abrams states he had always kept hidden from public view. It also appeared to be possible to view what type of LinkedIn account each user had, for example whether they were paying for a premium service, as well as which email provider they use.
On being asked to comment, LinkedIn told BleepingComputer that the database does not belong to them, but that they were aware of the existence of databases containing scraped information.
Paul Rockwell, LinkedIn’s head of Trust & Safety said:
“We are aware of claims of a scraped LinkedIn database. Our investigation indicates that a third-party company exposed a set of data aggregated from LinkedIn public profiles as well as other, non-LinkedIn sources. We have no indication that LinkedIn has been breached.”
A LinkedIn privacy page allows users to apply a setting to their account specifying who can view their email address. However, Abrams still queries why his own email address would have been visible and able to be scraped when only 1st degree connections should be able to see it.
BleedingComputer contacted Amazon who were hosting the unsecured databases and as of 22 April 2019 they had been secured and are no longer accessible via the internet.
LinkedIn is a popular social media site because it exposes professionals to potential leads and customers, in addition, it’s a great place to make connections and engage in discussions in many industries, helping business members become thought leaders. As it is a business community, a majority of solicitors will have a profile and use it on a daily basis, this presents a risk whereby information could be leaked and stolen and used to attack them or the firm they are employed by.
According to the Cyber Security Breaches Survey 2019, released by the Department for Digital, Culture, Media and Sport, 32% of businesses and 22% of the charity sector reported that their cyber security had been breached in the last year. Worryingly, a third of all attempted cyber attacks resulted in a loss of data or assets. When your law firm is holding a mass of personal data and client money, the report highlights the importance of improving cyber security measures.
Is your firm adequately protected against the threat of cyber attacks?