LinkedIn Suffers Huge Bot Attack That Steals Members' Personal Data

An anonymous reader quotes a report from SiliconBeat: Data thieves used a massive "botnet" against professional networking site LinkedIn and stole member's personal information, a new lawsuit reveals. "LinkedIn members populate their profiles with a wide range of information concerning their professional lives, including summaries (narratives about themselves), job histories, skills, interests, educational background, professional awards, photographs and other information," said the company's complaint, filed in Northern California U.S. District Court (PDF). "During periods of time since December 2015, and to this day, unknown persons and/or entities employing various automated software programs (often referred to as 'bots') have extracted and copied data from many LinkedIn pages." It is unclear to what extent LinkedIn has been able to stymie the attack. A statement from the firm's legal team suggests one avenue of penetration has been permanently closed, but does not address other means of incursion listed in the lawsuit. "Their actions have violated the trust that LinkedIn members place in the company to protect their information," the complaint said. "LinkedIn will suffer ongoing and irreparable harm to its consumer goodwill and trust, which LinkedIn has worked hard for years to earn and maintain, if the conduct continues." LinkedIn says it has more than 128 million U.S. members and more than 400 million worldwide. According to the complaint, the hackers got around six LinkedIn cybersecurity systems, and also manipulated a cloud-services company that was on the company's "whitelist" of "popular and reputable service providers, search engines and other platforms" which interact with LinkedIn under less severe security measures than other third parties. The manipulation allowed the hackers to send requests to LinkedIn servers. "This was not an attack or data breach where confidential data was stolen," LinkedIn's legal team said in a statement. "This suit is about unknown entities using automated systems to scrape and copy data that members have made available on LinkedIn, violating the law and our Terms of Service."

WTF did I just read??

[Narcocide]

LinkedIn has worked hard to maintain consumer goodwill and trust? Since fucking when!? Even if you don't register, they populate a profile for you with data from other people searching for your non-existent profile, and then show it to other people without distinguishing you from an actual registered user. Add to that the JavaScript XSS vulnerabilities they've been plagued with since day 1 because they don't hire as well as they help other people hire, and you will probably see why I'm not buying any of this trustworthiness crap.

Re: How is this a breach of terms?

[ArmoredDragon]

Regardless, even before reading this I've been debating deleting my LinkedIn account and only republishing it in the event that I get laid off. The site just strikes me as pointless, and all I get out of it is recruiter spam for jobs that pay about the same as what I'm getting now only in stupidly expensive areas like San Francisco...no thanks.

In fact the only reason I created one to begin with is because the HR people at a place I interned for said it was a good idea to have one, but now I'm not so sure.

Re:How is this a breach of terms?

[Ol+Olsoc]

Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?

Exactly. Page scraping isn't illegal (yet).

If you put stuff out there for the public to consume, expect it to be consumed, just not necessarily in the way you intended.

Illegal or not, When I was first invited to LinkedIn, I though I'd try it. Went through most of the process, and then they asked for my email password. SRSLY? Ostensibly to mine ny address book for people to invite, but what the hell - they would have my password. So that was about enough of that.

Giving them unfettered access to your email is probably the "other information" named in the summary. And now so do other people. Then again, someont who owuld share that sort of thing probably uses Password1 or some other dumb one.

How long does it take to actually die in LinkedIn?

I ditched LinkedIn the day after Microsoft bought them. But I've continued to get endless emails from people wanting to connect. I complained about a dozen times, but lately I've just ignored it. What are the odds that my login information -- which I have never been able to get LinkedIn to admit to having deleted -- is still stored in their system somewhere?