Slashdot Mirror
LinkedIn Suffers Huge Bot Attack That Steals Members' Personal Data (siliconbeat.com)
An anonymous reader quotes a report from SiliconBeat: Data thieves used a massive "botnet" against professional networking site LinkedIn and stole member's personal information, a new lawsuit reveals. "LinkedIn members populate their profiles with a wide range of information concerning their professional lives, including summaries (narratives about themselves), job histories, skills, interests, educational background, professional awards, photographs and other information," said the company's complaint, filed in Northern California U.S. District Court (PDF). "During periods of time since December 2015, and to this day, unknown persons and/or entities employing various automated software programs (often referred to as 'bots') have extracted and copied data from many LinkedIn pages." It is unclear to what extent LinkedIn has been able to stymie the attack. A statement from the firm's legal team suggests one avenue of penetration has been permanently closed, but does not address other means of incursion listed in the lawsuit. "Their actions have violated the trust that LinkedIn members place in the company to protect their information," the complaint said. "LinkedIn will suffer ongoing and irreparable harm to its consumer goodwill and trust, which LinkedIn has worked hard for years to earn and maintain, if the conduct continues." LinkedIn says it has more than 128 million U.S. members and more than 400 million worldwide. According to the complaint, the hackers got around six LinkedIn cybersecurity systems, and also manipulated a cloud-services company that was on the company's "whitelist" of "popular and reputable service providers, search engines and other platforms" which interact with LinkedIn under less severe security measures than other third parties. The manipulation allowed the hackers to send requests to LinkedIn servers. "This was not an attack or data breach where confidential data was stolen," LinkedIn's legal team said in a statement. "This suit is about unknown entities using automated systems to scrape and copy data that members have made available on LinkedIn, violating the law and our Terms of Service."
Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?
Scraping a website isn't illegal. What, are they making a claim to the data on the website? That's rich.
If companies want to complain that data can't be owned then they can't also complain when people take data from them.
Violating TOS, sure. But not the law. That info is PUBLIC, and the public is free to index it as they see fit.
SC: winers
My present employment sucks and the pay is shit.
Mostly random stuff.
...that they could have had for pennies per person from the dark net?
Great.
Scrapers are not a violation of the law, per se. Scrapers access material that is made publicly available. Claims that downloading that data are somehow illegal are downright silly, IMO.
As to whether it was a violation of their terms of service or not, that likely depends on whether the bots were logged in and on whether the person logged in was aware that the bots were being used in his/her name. If the bots were not logged in, then it is no different from scraping a website, which is likely not illegal unless you then use that scraped data in a way that would be illegal. If the bots were logged in, then it is a violation of terms of service if the user was aware of the bot activity, or illegal if the user was not.
Check out my sci-fi/humor trilogy at PatriotsBooks.
So now someone is accessing LinkedIn on a big scale to access public information on that site. Information that was explicitly made public, and that was placed there for everyone to see.
So how is this a breach or even "theft"? While maybe not entirely ethical or the way it's meant to work, it seems they're accessing nothing but public data.
Does anybody tell the truth, all the truth and nothing but the truth, in this ego trip for the masses?
Nobody on Earth cares about having so many addresses except US government.
So the lack of security is not that surprising.
I put my information on LinkedIn precisely so other can find it.
LinkedIn has worked hard to maintain consumer goodwill and trust? Since fucking when!? Even if you don't register, they populate a profile for you with data from other people searching for your non-existent profile, and then show it to other people without distinguishing you from an actual registered user. Add to that the JavaScript XSS vulnerabilities they've been plagued with since day 1 because they don't hire as well as they help other people hire, and you will probably see why I'm not buying any of this trustworthiness crap.
Sgt: Sir, we had a data breach!
Gen: Stolen passwords again?
Sgt: Worse! They've downloaded publicly available information!
Gen: Gah! What kind of depraved madmen would do such a thing!?
Sgt: We don't know, but we're suing them.
Gen: Oh. Good then. Carry on.
Nothing posted to
They should have used stopforumspam or botscout or at least throttled their bandwidth for excessive page requests.
No human reads 50 LinkedIn profiles a minute, FFS. Throttling the bandwidth would have been the simplest solution, something like bw_share would do it.
Just cruising through this digital world at 33 1/3 rpm...
So LinkedIn is suing exactly 100 unknown entities? Doesn't even make sense, except as some sort of PR ploy.
Sacred cows make the best burgers.
Webscraping isn't illegal. It might be against the terms of service, but what are you going to do? Revoke their accounts?
> That Steals Members' Personal Data
That's what LinkedIn does anyway.
I call B.S. If it was personal data then you shouldn't have given it to LinkedIn in the first place.
I'm an American. I love this country and the freedoms that we used to have.
I'm pretty sure spidering a website isn't all that new, I'm curious why it's even interesting?
I've been on LinkedIn a long time and observed a few botnets in my day that operate through other vectors. This botnet was not just scraping public profiles! Keep in mind that on LinkedIn you can have a public profile and you can have a private profile (only available to your contacts).
I would bet that these bots were LI profiles that passed for people. After all LI bots are unlikely to be so different from Twitter bots. My guess is that this botnet used fake profiles and scraped private data that was only available to contacts in-network. Probably also crawled contact lists and tried to "link in" with all contacts of every new contact that was made. Undoubtably a ToS violation and arguably criminal under the CFAA. Most people are promiscuous in their social networks and will accept connections without much thought. I have always tried to be very diligent about my contacts on LI -- If we didn't work together or meet in person, you're out of network BUZZ OFF. I have seen plenty of fake profiles and recruiters try to claim a connection with me that did not exist. Recruiters are almost as bad as the bots.
Presumably the LinkedIn team now believes they've expunged the culprits and must have enough forensic evidence to tie together a short list of IP addresses where the trail goes cold on someone else's network. Would be interested to understand more about how automated this botnet was and how C&C was implemented. Was C&C completely internal to LI using their messaging system or old-school IRC or new-school Twitter?
100 REM PISS OFF CODE FASCISTS 200 GOTO 100
The suckers who use LinkedIn do so specifically to make this sort of information public so people can find them. They 'trust' LinkedIn to make it publicly available.
That data was up for sale. Only the very least informed trusted it to be private. What Linkedin really lost was the chance to sell out their members, if the information should be publicly leaked.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
Congratulations an figuring out how to use whois! You're well on your way to becoming a Linux Ninja!
#DeleteChrome
The most important "terms of service" that any of these middle-men type BS companies have is "no interaction can occur between members that doesn't result in us getting a cut of cash".
Go look at any TOS from any of the big "social" and "sharing" corporations. It is illegal for you to do anything on their websites that doesn't involve a: you watching ads, b: you paying them money, c: you giving up your privacy, d: some combo of a, b, and c.
...that somebody viewed the information I let everybody view on a site that is intended to make such information viewable by as many people as possible?
STOP THE PRESSES!!!! NEWSFLASH!!!!
(and this isn't even an EditorDavid story!)
I ditched LinkedIn the day after Microsoft bought them. But I've continued to get endless emails from people wanting to connect. I complained about a dozen times, but lately I've just ignored it. What are the odds that my login information -- which I have never been able to get LinkedIn to admit to having deleted -- is still stored in their system somewhere?
I decided after about half an hour that they were idiots, so I cut it short and tried to delete my account. They gave me a two-week runaround before actually removing it.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Whoever scraped it, there's no contract between LinkedIn and them and so no terms of service violation. It's also not illegal to read a website (i.e. "against the law" is bollocks).
This is quite normal, people publish stuff publicly and its scraped by search engines, and they get all pissy, but just as Facebook keeps a large part of its content behind a login, so Linked In can/should.
It's funny, these companies get YOUR data and sell access to a full set of datamining to YOUR data, and then they get all pissy when someone else grabs YOUR data without paying THEM for it.
Good move. What do you want to bet that it was actually Microsoft violating the Chinese corporate wall to confiscate the data for its own nefarious purposes so that it has a copy later, and so it can access the email of people stupid enough to give Linkedin their email password but not stupid enough to host their email on a Microsoft spot. Gotta do something to trick people into Windows 10...
As they're going to be spammed to join linkedin for the rest of their lives.
nor is what they did. your unenforceable site use toc won't help you either.
YOU published your member supplied data on the available internets, what the fuck did you think would happen? that nobody would read any of it?
how do you think google gets their serp excerpts from? keywords for their index itself? the content for cached pages? they use crawlers, too. they siphon off all your content, too.. AND republish it in whole or part... just like i'm guessing the people behind these crawlers you dont like did too.
ANYTHING ACCESSIBLE ON THE INTERNET CAN AND WILL BE DOWNLOADED (shocker, i know).
given your own track record on sending spam, and doing your own sucking-of-data off people's devices, out of people's contacts, etc, etc, etc do not expect any sympathy from, well, anyone. your own hands have blood on them, too.
Just like most sites, you would probably never die. You would just be marked as deleted, and the deleted flag will propogate to offline backups eventually.
But I've continued to get endless emails from people wanting to connect.
There is a link in those email you can use to stop those notifications. You get these emails even if you are not a member of linkedin, that is just linkedin being linkedin
Count me in for 1000 bucks that you are wrong.
Any notification from LinkedIn goes to spam. They harass you more than Viagra. How can a company so devoid of etiquette be granted so much power and trust?
All my linkedin profiles are filled up with counterfeited data, just like 99% of other user profiles.
LinkedIn will suffer ongoing and irreparable harm to its consumer goodwill and trust, which LinkedIn has worked hard for years to earn and maintain, if the conduct continues.
Is that so? And here I was thinking that LinkedIn's reputation is the worst because it's doing things like grabbing the contacts from the address books of its members and then continuously spamming all their acquaintances with invitations to join the service.
LinkedIn formulates the emails in such a way as to appear that the actual member initiated a personal invitation, while the person has NO CLUE that the emails were sent out, as I have personally verified with several of my friends that "invited" me to join.
I've never had LinkedIn and I get tons of requests for people to join my network. LinkedIn just spams anyone, member or not.
Now the information my dog willingly put up for public consumption about his professional experience in the neighbourhood will be consumed by the public!
Is there something my dog can do about the loss of goodwill he now has for LinkedIn? He found it such a valuable resource for new leads on other dogs who might want to play ball with him or pee in his street. As one of the definitely 100% genuine and accurate 400 million profiles that LinkedIn enjoys, he is disappointed at being slighted by a business he trusted.
So a company which scraped data from public websites to build its own database just got its own public database scraped, and is pissed about it? Oh the irony.
Next thing you know, Google will be sued for crawling the internet with its automated spider to keep a database of sites you can search for. Some people just don't understand how the internet works. If you put stuff up on a billboard with blinky neon lights, people are going to see it. That's why you don't put your personal info on one.
We'll make great pets
http://www.bloomberg.com/news/articles/2016-08-05/this-company-has-built-a-profile-on-every-american-adult
In the modern era, there is no such thing as clearly legal when it involves a computer.
Unless it is a well-known company like Google, then it is ok.
For cybercrime, it isn't what you do ... it is who you are ... that determines if what you did was legal or illegal.
Your comment makes no sense as a reply to OP's concern about giving LinkedIn his email password
If "other people ... have [your email account password] in their address book", then you already DGAF about your email content privacy.
LinkedIn will go through your personal contacts and will mecilessly spam anyone who isn't already a member. For a company with poor etiquette, they are sure handed a lot of (undeserved) trust.
It's all info gathering, trading, and selling. I'm in IT Security. If I find significant personal info about a job applicant on LinkedIn, Facebook, Google, etc., game over. If someone is naive enough to make available PII, I have zero interest in letting them near the sensitive data I (we) protect.
LinkedIn has gotten away from what it was meant for. Now it's just someone posting "mind puzzles" or links to "do it your way" posts. Or Recruiters who get your info, with no jobs available and show how big their stable is to potential companies. Job hunted on there for a year, used their premium. Not even a phone call.
LinkedIn is horrible. Anyone who willingly signs up with them deserves whatever they get.
Of course if data collected was during the course of a country's open source intelligence collection op. It would be perfectly lawful. So who could they sue in such cases? Domestically that would be unlawful. (They would have to defer to a closed source, muaahahahahaaaaa!)
Tracy Johnson
Old fashioned text games hosted below:
http://empire.openmpe.com/
BT
LinkedIn spams the whole planet, it has nothing to do with you being a former user. Until recently there was NO WAY to opt out of the spam without CREATING an account. However, Gmail figured it out and will generate an email to list-unsubscribe@linkedin.com if you report it as spam.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
The link in those emails asks you to CREATE an account, so that you can setup email preferences. They had no other way to opt out. I guess Google put their foot down, because now there's an list-unsubscribe@linkedin.com address that gmail uses to opt you out when you flag it as spam.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant