LinkedIn suffers huge bot attack that steals members’ personal data
Data thieves used a massive “botnet” against professional networking site LinkedIn and stole member’s personal information, a new lawsuit reveals.
The Mountain View firm filed the federal suit this week in an attempt to uncover the perpetrators.
“LinkedIn members populate their profiles with a wide range of information concerning their professional lives, including summaries (narratives about themselves), job histories, skills, interests, educational background, professional awards, photographs and other information,” said the company’s complaint, filed in Northern California U.S. District Court.
“During periods of time since December 2015, and to this day, unknown persons and/or entities employing various automated software programs (often referred to as ‘bots’) have extracted and copied data from many LinkedIn pages.”
It is unclear to what extent LinkedIn has been able to stymie the attack. A statement from the firm’s legal team suggests one avenue of penetration has been permanently closed, but does not address other means of incursion listed in the lawsuit.
LinkedIn’s assailants have been “distributing” stolen data to “others,” the lawsuit said.
The scammers broke “an array of federal and state laws” by skirting “several technical barriers” intended to prevent what the firm refers to as “data scraping.”
“Their actions have violated the trust that LinkedIn members place in the company to protect their information,” the complaint said. “LinkedIn will suffer ongoing and irreparable harm to its consumer goodwill and trust, which LinkedIn has worked hard for years to earn and maintain, if the … conduct continues.”
LinkedIn says it has more than 128 million U.S. members and more than 400 million worldwide. The court filing does not reveal the number of users whose data has been stolen, other than to say the attackers have hit many member pages.
Attackers had created thousands of fake profiles on the site that “polluted the LinkedIn user environment” and enabled the data scraping, the suit said.
To pilfer the data, hackers used “a highly coordinated and automated network of computers” known as a “botnet,” LinkedIn’s complaint said. The assailants have hidden anonymously behind thousands of IP addresses (numbers representing individual computers), the lawsuit said. Six of the company’s systems for preventing such data thefts failed to stop the data thefts, according to the complaint.
The firm said in the suit that it “responded swiftly” to the attack and put up additional technical barriers. “This was not an attack or data breach where confidential data was stolen,” LinkedIn’s legal team said in a statement. “This suit is about unknown entities using automated systems to scrape and copy data that members have made available on LinkedIn, violating the law and our Terms of Service.”
According to the complaint, the hackers got around six LinkedIn cybersecurity systems, and also manipulated a cloud-services company that was on the company’s “whitelist” of “popular and reputable service providers, search engines and other platforms” which interact with LinkedIn under less severe security measures than other third parties. The manipulation allowed the hackers to send requests to LinkedIn servers.
“The whitelisted partner activity addressed in our complaint is over and cannot reoccur, and we will continue to take whatever action is required to protect our members going forward,” LinkedIn’s legal team said.
Although the identity of the attackers is unknown to LinkedIn — they’re referred to as “John Does” in the filing — the lawsuit is intended to smoke out who they are by enabling LinkedIn to compel internet providers and networks to disclose their identities. LinkedIn said in the complaint that it had tracked internet providers, internet networks and IP addresses it believes are associated with the attack.
Fake profiles the company identified have been disabled, the complaint said.
SiliconBeat asked LinkedIn how successful it had been in reducing the botnet data theft. The firm referred SiliconBeat to the complaint, which it said “lays out all the specifics.”
“We feel we have a responsibility to protect the control that our members have over the information they put on LinkedIn,” company spokeswoman May Chow said.