The personal data of around 500 million LinkedIn users is being sold on a popular hacking forum.
Cybersecurity news site CyberNews discovered the hoard, which includes LinkedIn IDs, full names, email addresses, phone numbers, genders, links to LinkedIn profiles, links to other social media profiles, and professional titles, and other work-related data. However no passwords or payment data appear to have been affected.
As proof that the information is valid, the seller is offering two million entries for about $2 worth of forum credits. CyberNews analyzed the sample and confirmed that it’s legitimate. However, it remains unsure if this is freshly stolen information, or if it’s just aggregated data from previous breaches.
Despite the batch not containing login credentials or payment data, it is still a devastating weapon in the right hands. Fraudsters and cybercriminals can use the information to send out spear-phishing attacks, impersonation attacks, try to brute-force accounts, or simply send out spam emails to millions of previously unknown addresses.
“Particularly determined attackers can combine information found in the leaked files with other data breaches in order to create detailed profiles of their potential victims,” the report warns.
“With such information in hand, they can stage much more convincing phishing and social engineering attacks or even commit identity theft against the people whose information has been exposed on the hacker forum.”
In any case, the seller is now asking for a four-figure payment, presumably in bitcoin.
The news comes shortly after cybersecurity experts were warning of a new scam targeting job hunters on LinkedIn where fraudsters would send a .ZIP file to the victim, containing what they believe to be a potential application. Instead, the archive contained a fileless backdoor, allowing attackers to stealthily install other malware, ransomware, keyloggers, or any other malicious programs.
The analysts described it as a “formidable threat to businesses and business professionals”, as it is able to avoid detection and exfiltrate data.
If you suspect you are being targeted by a phishing attack on LinkedIn, experts are suggesting you change your login data immediately, enable two-factor authentication, and make sure not to click any links, or download any attachments, unless absolutely positive they’re from a legitimate source.
LinkedIn is yet to comment on the alleged breach.