Slashdot Mirror

← Back to Stories (view on slashdot.org)

LinkedIn Suffers Huge Bot Attack That Steals Members' Personal Data (siliconbeat.com)

Posted by BeauHD on from the paperwork dept.

An anonymous reader quotes a report from SiliconBeat: Data thieves used a massive "botnet" against professional networking site LinkedIn and stole member's personal information, a new lawsuit reveals. "LinkedIn members populate their profiles with a wide range of information concerning their professional lives, including summaries (narratives about themselves), job histories, skills, interests, educational background, professional awards, photographs and other information," said the company's complaint, filed in Northern California U.S. District Court (PDF). "During periods of time since December 2015, and to this day, unknown persons and/or entities employing various automated software programs (often referred to as 'bots') have extracted and copied data from many LinkedIn pages." It is unclear to what extent LinkedIn has been able to stymie the attack. A statement from the firm's legal team suggests one avenue of penetration has been permanently closed, but does not address other means of incursion listed in the lawsuit. "Their actions have violated the trust that LinkedIn members place in the company to protect their information," the complaint said. "LinkedIn will suffer ongoing and irreparable harm to its consumer goodwill and trust, which LinkedIn has worked hard for years to earn and maintain, if the conduct continues." LinkedIn says it has more than 128 million U.S. members and more than 400 million worldwide. According to the complaint, the hackers got around six LinkedIn cybersecurity systems, and also manipulated a cloud-services company that was on the company's "whitelist" of "popular and reputable service providers, search engines and other platforms" which interact with LinkedIn under less severe security measures than other third parties. The manipulation allowed the hackers to send requests to LinkedIn servers. "This was not an attack or data breach where confidential data was stolen," LinkedIn's legal team said in a statement. "This suit is about unknown entities using automated systems to scrape and copy data that members have made available on LinkedIn, violating the law and our Terms of Service."

65 of 109 comments (clear)

  1. How is this a breach of terms? by Anonymous Coward · · Score: 5, Insightful

    Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?

    Scraping a website isn't illegal. What, are they making a claim to the data on the website? That's rich.
    If companies want to complain that data can't be owned then they can't also complain when people take data from them.

    1. Re:How is this a breach of terms? by JustAnotherOldGuy · · Score: 4, Insightful

      Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?

      Exactly. Page scraping isn't illegal (yet).

      If you put stuff out there for the public to consume, expect it to be consumed, just not necessarily in the way you intended.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re: How is this a breach of terms? by ArmoredDragon · · Score: 4, Interesting

      Regardless, even before reading this I've been debating deleting my LinkedIn account and only republishing it in the event that I get laid off. The site just strikes me as pointless, and all I get out of it is recruiter spam for jobs that pay about the same as what I'm getting now only in stupidly expensive areas like San Francisco...no thanks.

      In fact the only reason I created one to begin with is because the HR people at a place I interned for said it was a good idea to have one, but now I'm not so sure.

    3. Re:How is this a breach of terms? by Ol+Olsoc · · Score: 4, Interesting

      Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?

      Exactly. Page scraping isn't illegal (yet).

      If you put stuff out there for the public to consume, expect it to be consumed, just not necessarily in the way you intended.

      Illegal or not, When I was first invited to LinkedIn, I though I'd try it. Went through most of the process, and then they asked for my email password. SRSLY? Ostensibly to mine ny address book for people to invite, but what the hell - they would have my password. So that was about enough of that.

      Giving them unfettered access to your email is probably the "other information" named in the summary. And now so do other people. Then again, someont who owuld share that sort of thing probably uses Password1 or some other dumb one.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    4. Re:How is this a breach of terms? by Anonymous Coward · · Score: 1

      Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?

      Effectively yes.

      Scraping a website isn't illegal.

      But it is against the Ts & Cs of access.

    5. Re:How is this a breach of terms? by Luthair · · Score: 1

      Hey, I don't know what to say my web browser was just pre-fetching the site so I could browse it more quickly.

    6. Re:How is this a breach of terms? by jrumney · · Score: 2

      You know you can just skip that step...just like Facebook, Twitter, Whatsapp and a bunch of others that ask for access to your contact list just so they can spam them.

    7. Re:How is this a breach of terms? by Ol+Olsoc · · Score: 1

      You know you can just skip that step...just like Facebook, Twitter, Whatsapp and a bunch of others that ask for access to your contact list just so they can spam them.

      I did. I wouldn't trust anyone who asks me for may email password. That's pretty egregious. So I skipped them altogether.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    8. Re:How is this a breach of terms? by Anonymous Coward · · Score: 1

      You know you can just skip that step.

      Sure... problem is, other people don't skip it, and they have your info in their address books. Thus, against your will, they have given it to LinkedIn.

      There's no way to keep it out of your hands. You can't in any practical way expect every one of your professional contacts to do the right thing.

    9. Re: How is this a breach of terms? by JustAnotherOldGuy · · Score: 1

      I don't have a LinkedIn account and it hasn't hampered me.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    10. Re:How is this a breach of terms? by ThatsMyNick · · Score: 1

      If your email provider is a public email provider (like gmail), they ask for your other email passwords so they can import contacts too, when you signup. I guess you have to stop using all public email providers, cos they all pull the same shit.

    11. Re:How is this a breach of terms? by johanw · · Score: 1

      And these "terms" are legally binding why exactly?

    12. Re: How is this a breach of terms? by serviscope_minor · · Score: 1

      I'd be interested to hear if anyone here has a counter example. I certainly don't. I don't seem to have every got anything useful out of it.

      --
      SJW n. One who posts facts.
    13. Re:How is this a breach of terms? by Ol+Olsoc · · Score: 1

      If your email provider is a public email provider (like gmail), they ask for your other email passwords so they can import contacts too, when you signup. I guess you have to stop using all public email providers, cos they all pull the same shit.

      They don't get any such thing form me. Its not even like I have anything to hide, but they might.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    14. Re:How is this a breach of terms? by ThatsMyNick · · Score: 1

      Of course they dont get any such thing from you. They still ask it, just like linkedin, and provide a skip option just like linkedin.

    15. Re:How is this a breach of terms? by Ol+Olsoc · · Score: 1

      Of course they dont get any such thing from you. They still ask it, just like linkedin, and provide a skip option just like linkedin.

      They get it from a lot of folks though. I'm just saying that is remarkably foolish thing to do. You have an issue with people offering prudent advice?

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    16. Re:How is this a breach of terms? by mikeiver1 · · Score: 1

      Funny this one, isn't it all there for anyone to see if you simply join? Oh my, they didn't join and yet still have access to the data? My O My, what are we to do? (wringing hands in consternation) I have a page but post not a single bit of truth or useful information on it. It is simply a place holder and nothing more. Enjoy that info you pulled from me, it is utterly without worth.

    17. Re: How is this a breach of terms? by Lumpy · · Score: 1

      The problem is HR.

      I recently landed a gig with a major pay hike by getting the managers of the actual team to want me on their team.

      I apply and start the dance with HR.

      "how much do you want?"

      I want $XXX,XXX as it's compensating for the major cost of living increase and a increase for me as I am moving for you and changing jobs.

      "We wont go that high"

      well, that is my offer, if you cant meet it, have a nice day.

      Two weeks later HR called me back saying they accepted my offer.

      Ignore ANYTHING recruiters or HR people tell you. They dont know shit about what you should be paid. And always go around them to the actual people wanting to fill a position. they understand reality.

      --
      Do not look at laser with remaining good eye.
    18. Re:How is this a breach of terms? by ThatsMyNick · · Score: 1

      Nope, I have an issue with people taking issue with linkedin, but not with gmail (when they both do the same thing).

      I agree that it is shitty practice, and they should be criticized for it.

    19. Re:How is this a breach of terms? by Reziac · · Score: 1

      I have a LinkedIn account, but it doesn't get access to my email. I use it mostly to keep track of professional acquaintances; why would I put personal info there or give it access to my address book?

      I expect the main fallout from this targeted scrape (it doesn't sound like an actual data breach) will be a minor uptick in spam. Like that's news...

      --
      ~REZ~ #43301. Who'd fake being me anyway?
    20. Re:How is this a breach of terms? by eric_harris_76 · · Score: 1

      Yeah. Is "steal" even the right verb, here? I don't think so.

      --
      There's no time like the present. Well, the past used to be.
    21. Re: How is this a breach of terms? by OffTheWallSoccer · · Score: 1

      I'd be interested to hear if anyone here has a counter example. I certainly don't. I don't seem to have every got anything useful out of it.

      I can give you three examples from my own experience.

      1. My LinkedIn connections (former colleagues, mostly) have contacted me to see if my employer is hiring or if I can submit their resume for a job posting. I have helped many folks secure jobs this way.

      2. I have also been approached by people in my LinkedIn network, asking if I wanted to come work with them. I have gotten several jobs that way. (When I wasn't even looking for a job.)

      3. The reverse of #2 -- When looking for people to join my team, I go through my LinkedIn network and ask folks if they might be interested in working on a new project.

      The best way to find a rewarding job is via networking (i.e. word of mouth), and LinkedIn makes networking very easy.
      The best time to recruit someone (former colleague) is when they are not looking.

  2. Maybe, maybe not. by dgatwood · · Score: 3, Insightful

    Scrapers are not a violation of the law, per se. Scrapers access material that is made publicly available. Claims that downloading that data are somehow illegal are downright silly, IMO.

    As to whether it was a violation of their terms of service or not, that likely depends on whether the bots were logged in and on whether the person logged in was aware that the bots were being used in his/her name. If the bots were not logged in, then it is no different from scraping a website, which is likely not illegal unless you then use that scraped data in a way that would be illegal. If the bots were logged in, then it is a violation of terms of service if the user was aware of the bot activity, or illegal if the user was not.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  3. So where's the real breach? by wvmarle · · Score: 4, Insightful

    So now someone is accessing LinkedIn on a big scale to access public information on that site. Information that was explicitly made public, and that was placed there for everyone to see.

    So how is this a breach or even "theft"? While maybe not entirely ethical or the way it's meant to work, it seems they're accessing nothing but public data.

    1. Re:So where's the real breach? by Anonymous Coward · · Score: 1

      It pisses off LinkedIn because their business model is to collect and sell that data themselves.

  4. Don't understand the problem by Anonymous Coward · · Score: 2, Insightful

    I put my information on LinkedIn precisely so other can find it.

    1. Re:Don't understand the problem by Reziac · · Score: 1

      Exactly. Its function is as a business card kiosk, where you WANT people to take your "card" (info), to remind your fellow professionals that you exist, and maybe let other professionals find you.

      If you're using it for personal info, you've misspelled "Facebook".

      --
      ~REZ~ #43301. Who'd fake being me anyway?
    2. Re:Don't understand the problem by OffTheWallSoccer · · Score: 1

      Well said.

  5. WTF did I just read?? by Narcocide · · Score: 3, Interesting

    LinkedIn has worked hard to maintain consumer goodwill and trust? Since fucking when!? Even if you don't register, they populate a profile for you with data from other people searching for your non-existent profile, and then show it to other people without distinguishing you from an actual registered user. Add to that the JavaScript XSS vulnerabilities they've been plagued with since day 1 because they don't hire as well as they help other people hire, and you will probably see why I'm not buying any of this trustworthiness crap.

  6. Sir! by flopsquad · · Score: 3, Funny

    Sgt: Sir, we had a data breach!
    Gen: Stolen passwords again?
    Sgt: Worse! They've downloaded publicly available information!
    Gen: Gah! What kind of depraved madmen would do such a thing!?
    Sgt: We don't know, but we're suing them.
    Gen: Oh. Good then. Carry on.

    --
    Nothing posted to /. has ever been legal advice, including this.
  7. Doh by JustAnotherOldGuy · · Score: 1

    They should have used stopforumspam or botscout or at least throttled their bandwidth for excessive page requests.

    No human reads 50 LinkedIn profiles a minute, FFS. Throttling the bandwidth would have been the simplest solution, something like bw_share would do it.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re: Doh by BlckAdder · · Score: 1

      Read the filing and you'll see that that's what they do. The bots are circumventing their throttling. They seem to have other countermeasures as well, which are also being circumvented, though none of it looks like a hack. More like well orchestrated abuse of soft limits and behavior-based controls. They allege that the bots are scraping information from the site both anonymously and while logged in. Probably different types of bot.

    2. Re: Doh by JustAnotherOldGuy · · Score: 1

      The bots are circumventing their throttling.

      Yes, if they were running through a large list of IPs and taking some simple steps to avoid tracking (constantly clearing cookies, varying the user agent string, etc) they could get away with it.

      I've done a few scrape jobs in my time, it's not all that hard. You can slow it down the scraper down little (maybe) but you can't stop it without some kind of ridiculously restrictive controls (the kind that would also hamper real users).

      You could probably get this page-scraping job done on Amazon's Mechanical Turk for not too much money, or pay a couple of coders to whip up some scripts at a reasonable price.

      --
      Just cruising through this digital world at 33 1/3 rpm...
  8. Um... by quonsar · · Score: 2

    So LinkedIn is suing exactly 100 unknown entities? Doesn't even make sense, except as some sort of PR ploy.

    --

    Sacred cows make the best burgers.

  9. Webscraping by 110010001000 · · Score: 3, Insightful

    Webscraping isn't illegal. It might be against the terms of service, but what are you going to do? Revoke their accounts?

    1. Re:Webscraping by Luthair · · Score: 1

      Probably charge them with hacking because thats how the US government works.

  10. That Steals Members' Personal Data by frovingslosh · · Score: 1

    I call B.S. If it was personal data then you shouldn't have given it to LinkedIn in the first place.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  11. Re:Let me save you the trouble by ChunderDownunder · · Score: 1

    linkedin is these days mostly social media for millennial recruiters such as those stupid mathematical formula puzzles.

    "Oooh, look at lovely cake Bridget baked for Friday morning tea"
    "Congratulations to Jeremy and Ivan for finishing second in the badminton at the corporate games"
    "top 17 techniques for sprucing up your CV"

    Maybe once a year will one of them actually contact me about a role they have. Perhaps if some scrapes and on-sells my data I might get a few more leads!

  12. So just like Google then ... by chuckugly · · Score: 3, Insightful

    I'm pretty sure spidering a website isn't all that new, I'm curious why it's even interesting?

  13. This was far worse than "public" scraping by radicimo · · Score: 1

    I've been on LinkedIn a long time and observed a few botnets in my day that operate through other vectors. This botnet was not just scraping public profiles! Keep in mind that on LinkedIn you can have a public profile and you can have a private profile (only available to your contacts).

    I would bet that these bots were LI profiles that passed for people. After all LI bots are unlikely to be so different from Twitter bots. My guess is that this botnet used fake profiles and scraped private data that was only available to contacts in-network. Probably also crawled contact lists and tried to "link in" with all contacts of every new contact that was made. Undoubtably a ToS violation and arguably criminal under the CFAA. Most people are promiscuous in their social networks and will accept connections without much thought. I have always tried to be very diligent about my contacts on LI -- If we didn't work together or meet in person, you're out of network BUZZ OFF. I have seen plenty of fake profiles and recruiters try to claim a connection with me that did not exist. Recruiters are almost as bad as the bots.

    Presumably the LinkedIn team now believes they've expunged the culprits and must have enough forensic evidence to tie together a short list of IP addresses where the trail goes cold on someone else's network. Would be interested to understand more about how automated this botnet was and how C&C was implemented. Was C&C completely internal to LI using their messaging system or old-school IRC or new-school Twitter?

    --
    100 REM PISS OFF CODE FASCISTS 200 GOTO 100
    1. Re:This was far worse than "public" scraping by Zontar+The+Mindless · · Score: 1

      There are other websites. Perhaps you should go try reading one of them.

      --
      Il n'y a pas de Planet B.
    2. Re:This was far worse than "public" scraping by Shag · · Score: 1

      This is one of my concerns - the possibility that the scraping was done using actual LinkedIn accounts, with connections and thus to some extent contains information that wasn't in public profiles.

      My other concern is that even if you're limited to public information, if you have enough of it, you can deduce non-public stuff.

      Maybe it's one of the big "profiles based on public records" companies; maybe it's state-sponsored or some kind of non-state actor.

      Anyway, from an opsec angle, I felt justified blanking my profile - just days after someone told me it was far more interesting than those of Silicon Valley millionaires. Haven't dropped my connections yet, but continuing to back away from social / professional networking.

      Next I need to remember my password for Academia, which regularly sends me email noting that someone I've never heard of is following me on there, and asking me to confirm that I know them.

      --
      Village idiot in some extremely smart villages.
    3. Re:This was far worse than "public" scraping by radicimo · · Score: 1

      The open question is did they hijack real accounts or only crawl via fake profiles? Would like to know how command & control was handled. Based on my read, this was more than a scrape job and much more programatic.

      --
      100 REM PISS OFF CODE FASCISTS 200 GOTO 100
  14. Trust? by Luthair · · Score: 2

    The suckers who use LinkedIn do so specifically to make this sort of information public so people can find them. They 'trust' LinkedIn to make it publicly available.

  15. "trust" by Iamthecheese · · Score: 1

    That data was up for sale. Only the very least informed trusted it to be private. What Linkedin really lost was the chance to sell out their members, if the information should be publicly leaked.

    --
    If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
  16. Re:Anybody near SAN DIEGO, CA ? by 93+Escort+Wagon · · Score: 2

    Congratulations an figuring out how to use whois! You're well on your way to becoming a Linux Ninja!

    --
    #DeleteChrome
  17. Are you telling me... by BenJeremy · · Score: 1

    ...that somebody viewed the information I let everybody view on a site that is intended to make such information viewable by as many people as possible?

    STOP THE PRESSES!!!! NEWSFLASH!!!!

    (and this isn't even an EditorDavid story!)

  18. How long does it take to actually die in LinkedIn? by Anonymous Coward · · Score: 3, Interesting

    I ditched LinkedIn the day after Microsoft bought them. But I've continued to get endless emails from people wanting to connect. I complained about a dozen times, but lately I've just ignored it. What are the odds that my login information -- which I have never been able to get LinkedIn to admit to having deleted -- is still stored in their system somewhere?

  19. Had interview with those clowns a few years back.. by jcr · · Score: 1

    I decided after about half an hour that they were idiots, so I cut it short and tried to delete my account. They gave me a two-week runaround before actually removing it.

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  20. There's no contract there by Anonymous Coward · · Score: 1

    Whoever scraped it, there's no contract between LinkedIn and them and so no terms of service violation. It's also not illegal to read a website (i.e. "against the law" is bollocks).

    This is quite normal, people publish stuff publicly and its scraped by search engines, and they get all pissy, but just as Facebook keeps a large part of its content behind a login, so Linked In can/should.

    It's funny, these companies get YOUR data and sell access to a full set of datamining to YOUR data, and then they get all pissy when someone else grabs YOUR data without paying THEM for it.

    1. Re:There's no contract there by michelcolman · · Score: 1

      Wasn't there some new law equating website ToS violations to hacking with penalties of 800 years in prison, regardless of whether you ever agreed to them or not? Probably tucked into a law about lead content in diapers?

  21. Re:Let me save you the trouble by ls671 · · Score: 1

    They never ask tricky questions like that. Some, if not most people will be tempted to answer 0 while for a mathematician, the correct answer is 1. So, from a mathematician perspective, it might be fair to say that 99% of the population can't answer this correctly.

    --
    Everything I write is lies, read between the lines.
  22. It's the Hacker's family I feel sorry for. by gijoel · · Score: 1

    As they're going to be spammed to join linkedin for the rest of their lives.

  23. Re:How long does it take to actually die in Linked by ThatsMyNick · · Score: 1

    Just like most sites, you would probably never die. You would just be marked as deleted, and the deleted flag will propogate to offline backups eventually.

    But I've continued to get endless emails from people wanting to connect.

    There is a link in those email you can use to stop those notifications. You get these emails even if you are not a member of linkedin, that is just linkedin being linkedin

  24. Re: Let me save you the trouble by Antique+Geekmeister · · Score: 1

    "Plus a constant".

    See http://www.pleacher.com/mp/mhu...

  25. Who cares ? by LordHighExecutioner · · Score: 2

    All my linkedin profiles are filled up with counterfeited data, just like 99% of other user profiles.

    1. Re:Who cares ? by OffTheWallSoccer · · Score: 1

      All my linkedin profiles are filled up with counterfeited data, just like 99% of other user profiles.

      What's the point of having a LinkedIn account (let alone multiple accounts) if you defeat the purpose of letting others find you to see if you are interested in a job?

      If you network at all (which is the best way to find a job or find someone to hire), then a site like LinkedIn helps with that.

    2. Re:Who cares ? by Reziac · · Score: 1

      Exactly.

      Also, LinkedIn has been rather less annoying than the alternatives. I can actually find people there, should I wish. And apparently they can find me. Nearly all have been people I know -- not getting the who-the-hell?? so common in followers elsewhere.

      --
      ~REZ~ #43301. Who'd fake being me anyway?
  26. Re:How long does it take to actually die in Linked by Anonymous Coward · · Score: 1

    I've never had LinkedIn and I get tons of requests for people to join my network. LinkedIn just spams anyone, member or not.

  27. Google Crawler by zifn4b · · Score: 1

    Next thing you know, Google will be sued for crawling the internet with its automated spider to keep a database of sites you can search for. Some people just don't understand how the internet works. If you put stuff up on a billboard with blinky neon lights, people are going to see it. That's why you don't put your personal info on one.

    --
    We'll make great pets
  28. Re:Let me save you the trouble by ultranova · · Score: 3, Funny

    Mathematical formulas: "99% of the population can't resolve this. Can you? 1 + 1 x 0 = ?"

    They never ask tricky questions like that. Some, if not most people will be tempted to answer 0 while for a mathematician, the correct answer is 1.

    I honestly can't tell if you're serious or not. The correct answer is obviously "yes".

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  29. They can have it by thundercattt · · Score: 1

    LinkedIn has gotten away from what it was meant for. Now it's just someone posting "mind puzzles" or links to "do it your way" posts. Or Recruiters who get your info, with no jobs available and show how big their stable is to potential companies. Job hunted on there for a year, used their premium. Not even a phone call.

  30. Intelligence Collection? by tmjva · · Score: 1

    Of course if data collected was during the course of a country's open source intelligence collection op. It would be perfectly lawful. So who could they sue in such cases? Domestically that would be unlawful. (They would have to defer to a closed source, muaahahahahaaaaa!)

    --
    Tracy Johnson
    Old fashioned text games hosted below:
    http://empire.openmpe.com/
    BT
  31. Re:How long does it take to actually die in Linked by evilviper · · Score: 1

    LinkedIn spams the whole planet, it has nothing to do with you being a former user. Until recently there was NO WAY to opt out of the spam without CREATING an account. However, Gmail figured it out and will generate an email to list-unsubscribe@linkedin.com if you report it as spam.

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  32. Re:How long does it take to actually die in Linked by evilviper · · Score: 1

    The link in those emails asks you to CREATE an account, so that you can setup email preferences. They had no other way to opt out. I guess Google put their foot down, because now there's an list-unsubscribe@linkedin.com address that gmail uses to opt you out when you flag it as spam.

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant