LinkedIn Suffers Huge Bot Attack That Steals Members' Personal Data

An anonymous reader quotes a report from SiliconBeat: Data thieves used a massive "botnet" against professional networking site LinkedIn and stole member's personal information, a new lawsuit reveals. "LinkedIn members populate their profiles with a wide range of information concerning their professional lives, including summaries (narratives about themselves), job histories, skills, interests, educational background, professional awards, photographs and other information," said the company's complaint, filed in Northern California U.S. District Court (PDF). "During periods of time since December 2015, and to this day, unknown persons and/or entities employing various automated software programs (often referred to as 'bots') have extracted and copied data from many LinkedIn pages." It is unclear to what extent LinkedIn has been able to stymie the attack. A statement from the firm's legal team suggests one avenue of penetration has been permanently closed, but does not address other means of incursion listed in the lawsuit. "Their actions have violated the trust that LinkedIn members place in the company to protect their information," the complaint said. "LinkedIn will suffer ongoing and irreparable harm to its consumer goodwill and trust, which LinkedIn has worked hard for years to earn and maintain, if the conduct continues." LinkedIn says it has more than 128 million U.S. members and more than 400 million worldwide. According to the complaint, the hackers got around six LinkedIn cybersecurity systems, and also manipulated a cloud-services company that was on the company's "whitelist" of "popular and reputable service providers, search engines and other platforms" which interact with LinkedIn under less severe security measures than other third parties. The manipulation allowed the hackers to send requests to LinkedIn servers. "This was not an attack or data breach where confidential data was stolen," LinkedIn's legal team said in a statement. "This suit is about unknown entities using automated systems to scrape and copy data that members have made available on LinkedIn, violating the law and our Terms of Service."

How is this a breach of terms?

Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?

Scraping a website isn't illegal. What, are they making a claim to the data on the website? That's rich.
If companies want to complain that data can't be owned then they can't also complain when people take data from them.

Re:How is this a breach of terms?

[JustAnotherOldGuy]

Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?

Exactly. Page scraping isn't illegal (yet).

If you put stuff out there for the public to consume, expect it to be consumed, just not necessarily in the way you intended.

Re: How is this a breach of terms?

[ArmoredDragon]

Regardless, even before reading this I've been debating deleting my LinkedIn account and only republishing it in the event that I get laid off. The site just strikes me as pointless, and all I get out of it is recruiter spam for jobs that pay about the same as what I'm getting now only in stupidly expensive areas like San Francisco...no thanks.

In fact the only reason I created one to begin with is because the HR people at a place I interned for said it was a good idea to have one, but now I'm not so sure.

Re:How is this a breach of terms?

[Ol+Olsoc]

Is there a clause in the terms saying "you can read our shit, but don't read lots of it too fast"?

Exactly. Page scraping isn't illegal (yet).

If you put stuff out there for the public to consume, expect it to be consumed, just not necessarily in the way you intended.

Illegal or not, When I was first invited to LinkedIn, I though I'd try it. Went through most of the process, and then they asked for my email password. SRSLY? Ostensibly to mine ny address book for people to invite, but what the hell - they would have my password. So that was about enough of that.

Giving them unfettered access to your email is probably the "other information" named in the summary. And now so do other people. Then again, someont who owuld share that sort of thing probably uses Password1 or some other dumb one.

Maybe, maybe not.

[dgatwood]

Scrapers are not a violation of the law, per se. Scrapers access material that is made publicly available. Claims that downloading that data are somehow illegal are downright silly, IMO.

As to whether it was a violation of their terms of service or not, that likely depends on whether the bots were logged in and on whether the person logged in was aware that the bots were being used in his/her name. If the bots were not logged in, then it is no different from scraping a website, which is likely not illegal unless you then use that scraped data in a way that would be illegal. If the bots were logged in, then it is a violation of terms of service if the user was aware of the bot activity, or illegal if the user was not.

So where's the real breach?

[wvmarle]

So now someone is accessing LinkedIn on a big scale to access public information on that site. Information that was explicitly made public, and that was placed there for everyone to see.

So how is this a breach or even "theft"? While maybe not entirely ethical or the way it's meant to work, it seems they're accessing nothing but public data.

WTF did I just read??

[Narcocide]

LinkedIn has worked hard to maintain consumer goodwill and trust? Since fucking when!? Even if you don't register, they populate a profile for you with data from other people searching for your non-existent profile, and then show it to other people without distinguishing you from an actual registered user. Add to that the JavaScript XSS vulnerabilities they've been plagued with since day 1 because they don't hire as well as they help other people hire, and you will probably see why I'm not buying any of this trustworthiness crap.

Sir!

[flopsquad]

Sgt: Sir, we had a data breach!
Gen: Stolen passwords again?
Sgt: Worse! They've downloaded publicly available information!
Gen: Gah! What kind of depraved madmen would do such a thing!?
Sgt: We don't know, but we're suing them.
Gen: Oh. Good then. Carry on.

Webscraping

[110010001000]

Webscraping isn't illegal. It might be against the terms of service, but what are you going to do? Revoke their accounts?

So just like Google then ...

[chuckugly]

I'm pretty sure spidering a website isn't all that new, I'm curious why it's even interesting?

How long does it take to actually die in LinkedIn?

I ditched LinkedIn the day after Microsoft bought them. But I've continued to get endless emails from people wanting to connect. I complained about a dozen times, but lately I've just ignored it. What are the odds that my login information -- which I have never been able to get LinkedIn to admit to having deleted -- is still stored in their system somewhere?

Re:Let me save you the trouble

[ultranova]

Mathematical formulas: "99% of the population can't resolve this. Can you? 1 + 1 x 0 = ?"

They never ask tricky questions like that. Some, if not most people will be tempted to answer 0 while for a mathematician, the correct answer is 1.

I honestly can't tell if you're serious or not. The correct answer is obviously "yes".