LinkedIn breach: what we know and how to protect your account

LinkedIn is a professional network with over 1 billion users all over the globe. It’s a terrific place for people to connect with peers, find job opportunities and build an online presence. But also, it’s an attractive target for cybercriminals.

The threat is real: past security events associated with LinkedIn resulted in millions of leaked or scraped profiles, many of them surfacing on hacker forums to be sold and used for fraud.

Users want to be seen, but they also need to stay safe. This seems to be a trade-off you have to accept if you want to be part of a large network like LinkedIn. But what can you do to protect your data in case someone wants to steal it?

Read on to find the answer to this question and learn more about the LinkedIn breach that happened in 2012 as well as the 2021 and 2023 data scraping events.

Was LinkedIn hacked? A history of breaches and scraping incidents

Yes, cybercriminals have attempted to hack LinkedIn multiple times. The first known account occurred on June 5, 2012, resulting in the theft of 6.5 million passwords. In 2016, though, it turned out that the hack was way more extensive, compromising the accounts of about 117 million individuals. 

2012 LinkedIn hack: credentials stolen and sold

The 2012 LinkedIn data breach was made possible due to a vulnerability in the platform’s encryption, which had become obsolete by cybersecurity standards. 

On top of that, LinkedIn didn’t use password salting at the time. In simple terms, this means adding extra characters (a unique code) to a password before storing it so hackers can’t figure out the original data. Which they did, once these unique codes were decrypted without breaking a sweat, especially with many users having simple, weak passwords.

As a result, cybercriminals got access to:

• Emails
• Passwords
• Internal IDs

It was believed that the sensitive information of 6.5 million users was compromised as a file containing that data emerged on a hacker’s forum in 2012. However, the incident was brought back into the spotlight again in 2016, when a hacker named “Peace” announced the sale of a database containing information related to 117 million LinkedIn accounts. 

Following the leak, LinkedIn released a data breach notice pointing out that the incident involved stolen credentials from 2012, and that their systems were not compromised again. 

2021 LinkedIn scraping incident: 700M+ records for sale

In 2021, LinkedIn users’ data emerged on forums again. This time, it was a hacker calling himself “TomLiner”, who exploited the platform’s API (a set of rules software systems use to communicate with each other) to access a dataset of about 700 million LinkedIn users.

The dataset included:

• Names
• Emails
• Date of birth
• Gender
• Social media IDs

LinkedIn was quick to assure the public that this was “not a data breach and no private LinkedIn member data was exposed.” They called it a scraping event, meaning that the set of data posted for sale only included viewable member profile data.

It’s worth mentioning that scraping is different from hacking. It comes down to using automation software to collect publicly available data from websites at a scale almost impossible for humans if done manually. Unlike hackers, scrapers do not attempt to exploit system vulnerabilities to access sensitive private data — they are only after information that is already accessible online.

Data scraping is not entirely forbidden, and there’s some nuance to it. However, platforms like LinkedIn do not allow automated gathering of data and invest a lot in advanced protection technologies to prevent it from happening.

2023 scraping dataset: fake emails, real risk

Apparently, leveraging sophisticated detection tech doesn’t guarantee 100% protection against scrapers, who are constantly trying to up their automation game and find new ways of bypassing restrictions. In 2023, a hacking forum user called “USDoD” shared a database allegedly containing 35 million rows of data on LinkedIn Premium accounts. According to HaveIBeenPwned’s data breach database, this scraped and faked data incident affected 19.8 million accounts.

Among other things, the set of data included:

• Full names
• Emails
• Employer names
• Skills
• Job titles
• Summaries

Cybersecurity expert Troy Hunt analyzed the dataset and came to the conclusion that it “turned out to be a combination of publicly available LinkedIn profile data and 5.8 million email addresses mostly fabricated from a combination of first and last name,” as in “[first name].[last name]@”.

Hunt was right to observe that this pattern is, indeed, used by many people, but it’s far from the only way to create an email address. 

However, despite many of the emails from the compromised database being fake, some of them were real, belonging to real people and putting them at risk for further exposure. 

These email addresses can be used to uncover even more personal details, such as phone numbers, social media profiles, home addresses, family connections and more — often through reverse email lookups on data broker sites. Unfortunately, each piece of information found maximizes the effectiveness of future fraud attempts.

What data was exposed in the LinkedIn breaches?

While the LinkedIn breach mostly exposed hashed passwords and email addresses, the 2021 and 2023 scraping incidents came down to the aggregation of publicly available data from user profiles.

Commonly exposed data across incidents

Here’s the full list of exposed data throughout all the above-mentioned incidents:

• Full names
• Email addresses
• LinkedIn IDs and URLs
• Passwords
• Phone numbers
• Job titles and industries
• Employer names and addresses
• Date of birth
• Geolocations
• Gender
• Links to other social media profiles
• Skills
• Languages spoken

Was there a LinkedIn password leak?

Yes, a LinkedIn password leak happened in 2012, when hackers accessed hashed passwords stored by the platform.

2012 password leak explained

Back in 2012, LinkedIn would store user passwords hashed but unsalted. Hashing is “the process of transforming any given key or a string of characters into another value,” according to TechTarget. It’s a common cryptographic method used to protect passwords from unauthorized access.

Salting, in its turn, means providing extra random characters to the password to make hashing even more secure. So LinkedIn would skip this step (the salt) and store hashed passwords directly. It was quite unfortunate given that salting had already been widely used and recommended as an effective password security practice at the time.

After the breach resurfaced in 2016, LinkedIn acknowledged the issue and announced improvements to its account security. The company began storing passwords using salted hashes and added two-step verification.

Why scraping incidents are risky

There are a number of reasons why LinkedIn scraping events put users at risk:

• Phishing and social engineering: cybercriminals can use scraped data to write persuasive, personalized emails and manipulate users into sharing sensitive information.
• Impersonation: exposed data can fuel the creation of fake LinkedIn profiles pretending to be real people.
• Data enrichment: scraped data can be combined with information that is publicly available (e.g. on data brokers or social media) or was exposed in other breaches to create new opportunities for identity theft.
• Overall loss of privacy: even if the data was publicly accessible, collecting and sharing it across other datasets and forums can lead to usage that has never been intended or authorized.

How to know if your LinkedIn data was leaked

To see if your data was leaked, you can do the following:

• Use services like HaveIBeenPwned and Cybernews Leak Checker to check if your email, phone number or password was compromised.
• Watch out for any suspicious activity on your LinkedIn or related accounts, such as password reset emails, login alerts or phishing messages.
• Check if you’ve received a breach notification from LinkedIn or reach out to them to inquire about potential data leaks or scraping incidents.

What you should do if your LinkedIn was compromised

Take the following steps to protect your sensitive data and mitigate risk.

Report the incident to LinkedIn

Use LinkedIn’s official “Report Unauthorized Account Access or Changes” form to let them know immediately that you can no longer access your account or that you have noticed changes to it. LinkedIn promises to verify that it’s your account and help you regain access.

Change passwords and enable 2FA

If you are still able to log into your LinkedIn account, but you believe someone else has gained unauthorized access to it too, change your password as soon as possible. Be sure to come up with a strong one, which is not used for any other accounts or services. Turn on two-step verification to prevent unauthorized access even if someone knows your credentials.

Audit your LinkedIn profile privacy settings

Review your active sessions for any activity you don’t recognize — sign out of it immediately. Until the dust settles, you might as well want to limit the visibility of any data related to your profile to make sure no one can manipulate it in fraud attempts.

Secure your other accounts

Double check that the email addresses and phone numbers you provided in the account settings are up-to-date and haven’t been compromised; LinkedIn will need those to send you a password reset message. Also check if other accounts of yours are using the same login and password you used for your LinkedIn account. You might want to tap into a password manager tool to help you change passwords and come up with stronger alternatives while doing so.

Watch for phishing and impersonation

Raise your guard when online, whether on LinkedIn or outside the platform, at least for some time. Stay alert when engaging with other content and people, especially those you don’t know. Scammers might attempt to steal your money or identity. Familiarize yourself with the list of scams you should be aware of, provided by LinkedIn.

How Onerep helps reduce your online exposure

If your personal data has been exposed during a LinkedIn data breach or scraping incident, you are at risk of fraud. Cybercriminals can use your leaked information in combination with other data found on you across the web to make theft attempts even more productive. Onerep reduces this risk significantly by helping you automatically remove your data from multiple data broker sites and Google.

Wipe your name and other details from from data broker sites

Onerep scans 210+ data broker sites to find where your personal information is on public display and removes it on your behalf. The service won’t stop until all the websites with your data confirm that it has been completely removed, allowing you to track the progress in real time.

Monitor for reappearance of your personal info

Removing your information from data brokers is only a job half-done. These sites tend to quietly bring your data back online. Even more so, your details can surface on entirely new sites. Onerep prevents this from happening by rescanning these sites for your data, reappearing or new.

FAQs

Was LinkedIn really hacked in 2021?

Not exactly. What happened in 2021 was a scraping event, meaning that someone used automation to collect vast amounts of profile data without users’ consent. This is forbidden by LinkedIn, but it can’t be considered a hacking event, nonetheless.

Did LinkedIn have a password leak?

Yes, it occurred during the LinkedIn breach in 2012, when hackers got unauthorized access to millions of hashed passwords. 

What’s the difference between a breach and data scraping?

A breach is an act of hacking, when someone exploits vulnerabilities in a system to gain unauthorized access to private data. In turn, data scraping involves automatically collecting publicly available data from a website or an app. 

However, security experts have an ongoing debate as to what makes a difference between the two. There might be a fine line between a breach and a scrape. For example, Troy Hunt suggests that even if the data was publicly available, but it was accessed “by an unauthorised party in a fashion in which it was not intended to be made available,” then it should be considered a breach.

How can I check if my LinkedIn data was leaked?

You can use tools like HaveIBeenPwned or Cybernews Leak Checker to see if your data was affected.

Can I remove my LinkedIn data from the web?

You can only remove your LinkedIn data by editing your profile or deleting it altogether, but if it has resurfaced on other sites, such as data brokers, you might want to use services like Onerep to remove it from there, too.