An offer for sale with data of more than 700 million – and thus almost all – users of the platform LinkedIn, which has been in a hacker forum since the beginning of last week, is still active. This was revealed by a contact made by heise Security with the seller "Tom Liner" on today’s Wednesday: For 5000 US dollars as a basis for negotiation he still offers information about LinkedIn users, not all of which is publicly available on the user profiles.
In an official statement LinkedIn has denied a leak in the classical sense as well as possible vulnerabilities in a LinkedIn API. The data had been obtained only through so-called "Scraping" collected from public user profiles. All non-publicly viewable data in the offer is said to come from other sources.
A detailed report on the incident was already published by heise Security yesterday (Tuesday). Among other things, we had also published a sample by Tom Liner in this context "sample" with over 400 user records under the microscope, which included full names, email and postal addresses, location data, phone numbers, as well as LinkedIn usernames and profile URLs, as well as information on the gender, personal and professional history and other social media accounts of the respective users.
The salesman (or. a deputy bot) also preserves discounts if required.
Official statements: No data leak, no API access
Shortly after the first announcement was made, LinkedIn ied a statement in German saying that the data included in Tom Liner’s offer, which is not public on LinkedIn, does not come from the platform but from other sources. Today, Wednesday, a LinkedIn spokesperson reiterated to heise Security that this was not a data leak (at least not at LinkedIn), but rather an "an accumulation of data from numerous sources, including some data tapped from LinkedIn". He also referenced a publicly available English-language LinkedIn statement.
to the platform’s team "RestorePrivacy" TomLiner had claimed to have improperly tapped into a LinkedIn API to crawl for data uploaded by users of the network. This could not be, the LinkedIn spokesperson stressed when asked: "LinkedIn does not have an API that could provide all of these types of data. We verified through sample analysis that several specific fields such as phone number, gender, derived salary and physical address in this dataset did not originate from LinkedIn."