In early April, reports revealed that 500M LinkedIn users’ account information was found for sale on a popular hacker marketplace website on the Dark Web. The Dark Web represents a large part of the Internet where cybercriminals can use cryptocurrency to purchase stolen data, company passwords, CEO email credentials, and other information. Cybert threat actors use this illegally obtained information and data to launch hacks, ransomware, email scams, and other cyber attacks. This particular LinkedIn haul includes business emails, business phone numbers, names, company roles, etc. as well as other professional information. This time, no passwords are thought to be part of the leak.
The same anonymous and untraceable entity who purchased these profiles reportedly bought another 300M+ LinkedIn profiles available for sale on another site.
How Did LinkedIn Get Hacked?
According to the LinkedIn spokesperson, the company determined that the data available online results from a “Scrape” rather than a “Hack”. What’s the difference?
With a hack, a hacker typically uses tools, tricks, or an inside person to gain access to a company’s database. Once inside, they can download private information.
Alternatively, in a scrape, a person uses a technology known as a scraper to lift the publicly available information they want from the site to create a database of that information. This may seem “less criminal” because the information is publicly available. However, this is against LinkedIn’s ToS policy, and people do this to use the information against the company.
- Preventing a Cyber Attach with Experienced Cybersecurity Management
- What is the Dark Web & How are Businesses Vulnerable Because of It?
- Remote IT Support Services from Technology Crossing IT Solutions
- How Business Email Scams Cost Companies Billions in 2020
What Are the Risks to You / Your Company?
This is not a harmless act. Criminals use information like this to conduct:
- Phishing Scams — They send you or your employee an email that looks legit but tricks the receiver into downloading a malicious file (maybe ransomware) or revealing a password for their email, Microsoft365, Linkedin, Constant Contact, SalesForce or a similar account. They often do this by spoofing the website, so it looks like you’re entering your password on a trusted site. This is a “hack”.
- Business Email Scams (BECs) — If they can successfully steal your email password, they can start sending emails out from your account, pretending to be you. They could then convince one of your biggest customers to re-route their payments to the criminal’s account. Or they could trick your bookkeeper into paying a bogus bill that really lines the criminals’ pockets.
- Fake Recruiter Scams — This scam has been growing in popularity recently. A person appropriates your name, job role, and other information to trick a job seeker into applying for a job with your company. Except they’re not applying for a job. Instead, they’re providing their social to the criminal under the pretense that it’s for tax purposes. The criminal will then use it to cause financial harm.
- Robocalling – Yes, some will use it for old-school purposes. Last month the FTC fined a Texas company $225 million for relentlessly robocalling people, including those on the Do Not Call List.
- Spam Email and Spam Texts – Always annoying!
- Number Spoofing – Scammers and robocallers trick your phone into displaying another number that the call is not coming from. This can make it look like a call is coming from your business to trick someone. Or you may be more likely to pick up the phone if you recognize the area code.
What Can You Do to Protect Yourself
Unfortunately, scrapes happen, and there is little companies like LinkedIn can do to stop them. The criminals buy and sell them in cryptocurrency to not leave a paper trail that the FBI can trace.
So the best things you can do is:
- Educate yourself about these kinds of scams so you don’t fall for one
- Educate your employees to help them spot a possible scam
- Have a good spam filter
- Change your LinkedIn password by going to LinkedIn directly, not through email, since the email could be fake.
- Be wary of any messages coming from people on LinkedIn
- Set up two-step verification on your accounts
- Never mix personal passwords with business ones. And ideally use a trustworthy password manager, so you never have to reuse passwords and can create stronger passwords
- Find out if your information is for sale online. Scraper technology can also be used for good, like helping cybersecurity professionals scour these disreputable sites to find out whose information is available for sale. If you know what’s out there, you can better protect yourself. This is called Dark Web monitoring.
Cyber Security from a Dallas / Fort Worth Managed IT Company
Threats like this do exist, and businesses of all sizes become targets. Many businesses don’t have the capacity or funds to hire a full-time IT and cybersecurity service team, but they still need IT and security services. Our Dallas IT company can offer the support you need. Contact us now to learn more.