A few years back Hotmail/Outlook were returning people's Twitter/LinkedIn handles for emails sent/received. It had been noticed you could scrape that fairly easily at scale. With one email account you could check up to 30000 email addresses before being flagged by Outlook.
Slightly longer ago you could simply iterate 1...n on LinkedIn URLs to find someone's profile, by converting the number to base12, you'd be redirected to the person's public URL.
Also their bulk contact upload. Take any data leak of email addresses, bulk upload them as contacts and then correlate email addresses to social profiles.
Facebook, Twitter and LinkedIn are all bad in that regard on the last method, though Facebook at least do not return people's URLs along with your contact upload (you're expected to know the person's face/name to decide whether you'd want to connect). The take away is that once you sign up, whatever information you put on your profile/account is pretty much available to anyone who wants it enough - and clearly there are plenty bad actors who want it. Obviously these social networks want to expand their network, but they also make it much more easy for data harvesting at unprecedented scale.
> Also their bulk contact upload. Take any data leak of email addresses, bulk upload them as contacts and then correlate email addresses to social profiles.
This is one of those functionality aspects all these social/networking sites fall foul of one way or another, be email or phone number relational suggestions. That and the aspect of this scraping of phone numbers or emails - even with the users permission, kinda moots the owner of those email and phone details. But does seem that once you give anybody your email or phone number, it kinda one way or another falls into the public domain level of privacy. Heck how many contact details via email or phone numbers do these sites hold on people who never even held an account with them.
Be nice if the law and data privacy had some global standards as this region/country by country aspect does nobody any good and in a World in which taxation works with the same model, do we really want to let data protection end up with data havens in much the same way as tax does.
Agreed. One of the poorer aspects of those 'functionalities' is friends of friends details get added, i.e. sharing your phone contacts or email contacts. There's people not on those networks that have a definite amount of information about them on there anyway.
> He claims the data was obtained by exploiting the LinkedIn API to harvest information that people upload to the site.
> our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed.
If the attacker is telling the truth, Then somehow the attacker has gained access to privileged API of LinkedIn which gives out more fields than those listed in the official LinkedIn API doc[1].
If LinkedIn is telling the truth, Then the source of breach is most likely one of the many data brokers who have been breached several times in the past[2].
FWIW, I've been scrubbing my social profiles. LinkedIn, Yelp, Facebook, etc.
Barest of bones. Removing all connections, photos, posts, personal details. (I know the damage is already done. The aggregators never really delete anything.)
Why not just out right delete my profiles? I'm squatting. To ensure they're not used as socket puppets.
After a beloved coworker passed, their profile got highjacked. Ten years later, I'm still so angry about it that I could just spit.
I’ve been doing the same. The potential downside risk of having LinkedIn/Facebook/Instagram profiles just keeps growing and growing. I’m a complete ghost on the Internet. I have Google alerts set up for my names and email addresses, and I regularly attempt to docs myself to find any leaks. I also can’t understand why anyone in the public eye doesn’t completely sanitise their social media profiles. The amount of people brought down by 10 year old stupid tweets is insane.
I was going to ask if you said "docs" as in "doxxing" [0] but then a quick Wikipedia search got me to the etymology [1] of "doxxing" which comes from "docs" as in "documents"! TIL
This. The best way to erase social media is to replace the account with a bunch of BS. Most of these companies are too cheap and Zucker's "move fast" culture probably doesn't involve database record versioning. Also because it's expensive. The old
SET _deleted_=1 is pretty much their main ace in the hole to f*k you. Hell, even if they do versioning, just keep filling the profiles with enough noise and they won't be able to filter it all out unless they somehow index and data warehouse your profile from the decrepit old backup. At that point, you are just hoping their schema changes, the logistics, and their bad practices are enough to prevent that from being cost efficient.
I saw someone on here had a program that went in your profile and rewrote all posts with garbage data before you deleted it. Like for Facebook, Twitter, Discord, etc. That way you know their database is filled with junk data. I'd really like to know what that was again so I could peak at it in case I ever wanted to do that.
I had someone do that to me when I've been -still alive-... just posting the weirdest shit right on other people's pages after adding a bunch of my friends for a cheap laugh.
It was literally just some idiot binging on drugs who thought it was really funny until i ran over to his place and kicked his door in. I had people ask me what the hell that was about for YEARS afterwards. How do you explain to all these people at parties or whatever that you just happen to know stupider people than they do?
> I'm squatting. To ensure they're not used as socket puppets.
Good idea. I've noticed more of those popping up. My wife has an Instagram impersonator that constantly spams some kind of essential oils crap or other beauty product snake oil.
I would do this, but my data has been up in social media long enough that I don't believe it makes a significant difference if I superficially "delete" it now. Maybe I'm wrong?
At this point, I just don't add anything new. If they're going to host my content ad infinitum, I might as well use their storage space and bandwidth.
I guess it probably would be worth ditching LinkedIn. There's no good reason why a [worthwhile] prospective employer would require it.
Sort of. Data that is 5+ years old is pretty stale. How many things don't change over that period of time and how can you be sure that they haven't changed? The most valuable things are phone numbers and email addresses. We expect those to be maintained so we can re-establish contact with old friends.
But if you made it a thing to daily post fake things so that the activity looks normal, can you eventually convice the social overlords you are someone else?
Relocate yourself to another city/state/country in your profile. Daily make posts about things occurring in that new location. Make those posts in sync with local time. Of course using a VPN endpoint that correlates.
How do you scrub your Facebook profile? There aren’t good tools for it. Facebook itself only lets you do it one post at a time in their activity log. Their constant design changes have broken extensions that used to help you do it (https://chrome.google.com/webstore/detail/social-book-post-m...)
I received message on WhatsApp from someone claiming to be my LinkedIn contact, I asked how that person got my mobile number and was told my number is visible on my profile.
I didn't remember ever adding my number there, So I dug around to find that LinkedIn published my phone number to all my contacts when I uploaded it for 2FA (LinkedIn didn't have TOTP that time. You needed to have premium account to prevent it from being shown to contacts. I removed the 2FA until LinkedIn got TOTP.
LinkedIn IMO[1] has received far less scrutiny on its practices and content when compared with other social networks while having disproportionately large influence on professional life.
Even if you don't considered inferred salary directly tied to you as "personal data," surely you consider geo location personal data?
Also, aren't you even slightly outraged that you can't even download data that has been hacked and released into the wild?
Or outraged by the fact that you can only download data you have given directly to a service provider, but that the service provider will happily tell 3rd parties about your shadow profiles?
>When we don’t have member-submitted data, salary insights are inferred using data between similar companies, job titles, location, and other job attributes.
With enough "job attributes", you can easily tie things down to an individual: who worked as <position> at <company> in <city> from <start_date> to <end_date>, doing <job_description> with <colleagues>?
The biggest issue: you cannot not give them your personal data that they then loose.
Let me contribute with an anecdote from yesterday (slightly off-topic but I promise to get around to it at the end). So just yesterday I needed to create a Microsoft account to try out Teams which is supposedly free. (I have avoided it so far, but my GF has been asked to use it for an interview and we wanted to do a tech test run before). Of course, the UI on the website assumes (!) that you already have a Microsoft account. It will let you create a Teams account that will fail the login if you do not have a Microsoft account and then sends you around in a Byzantine loop without telling you: Look you need a Microsoft account to use Teams. It looks to me as it just creates a shallow alias or something without root reference. This is dark patterns all over the place.
Anyway, a bit more on topic, I am course using my spam email for this account, but then they ask for my phone number. This is really an issue, because except if I get a burner phone, my personal data is linked with an account of a company I do not trust. After witnessing then how bad teams is almost 1.5 years after everyone is working remotely, (wow their web client does not allow you to share webcam and a window/screen at the same time, while their native client makes it super hard to share content while still seeing the people who you present to), I realised
1. How privileged I am not having to use Microsoft products (need to remember to charge extra, whenever asks me do a job that involves Microsoft products)
2. How anti-competitive Microsoft still is (you cannot login to Teams, MS web auth, in Chromium incognito mode, and it needs a ton of cookie domains whitelisted, even then it does not work)
3. How (and this is not Microsoft specific) difficult it is to not hand over personal data to companies that provide a utility-like service that they pretend is free (so everybody can pretend they are inclusive when they use these services)
4. An then literally a day later it turns out I am not paranoid not trusting Microsoft (and I guess other companies, big or small) with my data, because they are going to loose it sooner or later.
Edit: I just logged back into this MS account. They dont even use the phone number as "2FA". They only send you a text when you register, not for subsequent logins. It looks to me as they just collect it to make sure they really have some personal data to loose..
Microsoft authentication is terrible. It breaks at random times with misleading error messages (telling you that TFA failed for example, when in fact it’s one of their servers is down). Sometimes it just times out or goes into a loop until you close the page or clear cookies. And authentication for teams on Safari doesn’t work at all, even though the rest of Office works fine.
The generous interpretation is that they need a way to give people something free while avoiding giving bots/spammers something free. You could point to CAPTCHA as a way to do this anonymously, but as far as I can tell, CAPTCHA has largely been broken by successful machine learning algos (most of the web scraping services I have seen offer "free CAPTCHA defeat" as a perk of buying their service).
I'm curious enough to ask the question - having read the article and seen what data was leaked - isn't this "leaked data" the very same data that Linked In is selling to users as part of its Premium Offering?
Many of you may not know, But most recently, even Domino's Pizza (India) had a breach and they kept denying it ever happened until the hackers finally made a search engine where anyone could search through the entire database. And Domino's finally released some statement in some obscure part of their website. NONE of the users who were affected were notified directly. Many even don't know that this happened. What's worse is the data contained your precise house location and location data in general with co-ordinates. So, the hackers know your phone, your address, where you live, where you go to, been to and how much you're actually worth. It has been claimed financial data (credit cards) were stolen as well, but Domino's denies it till date and of course no one should trust them, given their history.
So, in essence, this LinkedIn breach is also the same to me. Companies literally make you an attack target for hackers and don't even bother telling you. I don't know about you guys, I haven't received a single email from LinkedIn about this yet. How can we combat this dangerous behaviour of companies hiding their incompetencies from their customers? I thought of litigation and I almost sued Domino's, but who am I kidding? These cases could go on for years while they keep making people attack targets of hackers. And add to that corruption, and other variables. I don't know of what could be done to such companies. Boycotting helps, but imagine, more than half your customers don't know why the rest are boycotting and that's in your favor.
Readit News
A few years back Hotmail/Outlook were returning people's Twitter/LinkedIn handles for emails sent/received. It had been noticed you could scrape that fairly easily at scale. With one email account you could check up to 30000 email addresses before being flagged by Outlook.
Slightly longer ago you could simply iterate 1...n on LinkedIn URLs to find someone's profile, by converting the number to base12, you'd be redirected to the person's public URL.
Also their bulk contact upload. Take any data leak of email addresses, bulk upload them as contacts and then correlate email addresses to social profiles.
Facebook, Twitter and LinkedIn are all bad in that regard on the last method, though Facebook at least do not return people's URLs along with your contact upload (you're expected to know the person's face/name to decide whether you'd want to connect). The take away is that once you sign up, whatever information you put on your profile/account is pretty much available to anyone who wants it enough - and clearly there are plenty bad actors who want it. Obviously these social networks want to expand their network, but they also make it much more easy for data harvesting at unprecedented scale.
This is one of those functionality aspects all these social/networking sites fall foul of one way or another, be email or phone number relational suggestions. That and the aspect of this scraping of phone numbers or emails - even with the users permission, kinda moots the owner of those email and phone details. But does seem that once you give anybody your email or phone number, it kinda one way or another falls into the public domain level of privacy. Heck how many contact details via email or phone numbers do these sites hold on people who never even held an account with them.
Be nice if the law and data privacy had some global standards as this region/country by country aspect does nobody any good and in a World in which taxation works with the same model, do we really want to let data protection end up with data havens in much the same way as tax does.
> He claims the data was obtained by exploiting the LinkedIn API to harvest information that people upload to the site.
> our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed.
If the attacker is telling the truth, Then somehow the attacker has gained access to privileged API of LinkedIn which gives out more fields than those listed in the official LinkedIn API doc[1].
If LinkedIn is telling the truth, Then the source of breach is most likely one of the many data brokers who have been breached several times in the past[2].
[1] https://docs.microsoft.com/en-us/linkedin/shared/references/...
[2] https://news.ycombinator.com/item?id=21606415
Barest of bones. Removing all connections, photos, posts, personal details. (I know the damage is already done. The aggregators never really delete anything.)
Why not just out right delete my profiles? I'm squatting. To ensure they're not used as socket puppets.
After a beloved coworker passed, their profile got highjacked. Ten years later, I'm still so angry about it that I could just spit.
[0] https://www.thefreedictionary.com/doxx [1] https://en.wikipedia.org/wiki/Doxing#Etymology
sock puppets :)
Done much network programming lately?
It was literally just some idiot binging on drugs who thought it was really funny until i ran over to his place and kicked his door in. I had people ask me what the hell that was about for YEARS afterwards. How do you explain to all these people at parties or whatever that you just happen to know stupider people than they do?
Good idea. I've noticed more of those popping up. My wife has an Instagram impersonator that constantly spams some kind of essential oils crap or other beauty product snake oil.
At this point, I just don't add anything new. If they're going to host my content ad infinitum, I might as well use their storage space and bandwidth.
I guess it probably would be worth ditching LinkedIn. There's no good reason why a [worthwhile] prospective employer would require it.
Your past self, current self, and your future self are different people. Don't give in to sunk cost fallacy here.
Sort of. Data that is 5+ years old is pretty stale. How many things don't change over that period of time and how can you be sure that they haven't changed? The most valuable things are phone numbers and email addresses. We expect those to be maintained so we can re-establish contact with old friends.
Relocate yourself to another city/state/country in your profile. Daily make posts about things occurring in that new location. Make those posts in sync with local time. Of course using a VPN endpoint that correlates.
None of this is publicly available.
None of this can even be downloaded by myself when I get a copy of all my data from linkedin...
https://www.linkedin.com/help/linkedin/answer/50191/download...
So I have no idea what information about myself was leaked in this hack
I received message on WhatsApp from someone claiming to be my LinkedIn contact, I asked how that person got my mobile number and was told my number is visible on my profile.
I didn't remember ever adding my number there, So I dug around to find that LinkedIn published my phone number to all my contacts when I uploaded it for 2FA (LinkedIn didn't have TOTP that time. You needed to have premium account to prevent it from being shown to contacts. I removed the 2FA until LinkedIn got TOTP.
LinkedIn IMO[1] has received far less scrutiny on its practices and content when compared with other social networks while having disproportionately large influence on professional life.
[1] https://news.ycombinator.com/item?id=27673024
It’s likely that an API endpoint was found and all the data was siphoned off.
https://restoreprivacy.com/linkedin-data-leak-700-million-us...
Even if you don't considered inferred salary directly tied to you as "personal data," surely you consider geo location personal data?
Also, aren't you even slightly outraged that you can't even download data that has been hacked and released into the wild?
Or outraged by the fact that you can only download data you have given directly to a service provider, but that the service provider will happily tell 3rd parties about your shadow profiles?
How do you know?
https://www.linkedin.com/help/linkedin/answer/4786/source-an...
>When we don’t have member-submitted data, salary insights are inferred using data between similar companies, job titles, location, and other job attributes.
With enough "job attributes", you can easily tie things down to an individual: who worked as <position> at <company> in <city> from <start_date> to <end_date>, doing <job_description> with <colleagues>?
Let me contribute with an anecdote from yesterday (slightly off-topic but I promise to get around to it at the end). So just yesterday I needed to create a Microsoft account to try out Teams which is supposedly free. (I have avoided it so far, but my GF has been asked to use it for an interview and we wanted to do a tech test run before). Of course, the UI on the website assumes (!) that you already have a Microsoft account. It will let you create a Teams account that will fail the login if you do not have a Microsoft account and then sends you around in a Byzantine loop without telling you: Look you need a Microsoft account to use Teams. It looks to me as it just creates a shallow alias or something without root reference. This is dark patterns all over the place.
Anyway, a bit more on topic, I am course using my spam email for this account, but then they ask for my phone number. This is really an issue, because except if I get a burner phone, my personal data is linked with an account of a company I do not trust. After witnessing then how bad teams is almost 1.5 years after everyone is working remotely, (wow their web client does not allow you to share webcam and a window/screen at the same time, while their native client makes it super hard to share content while still seeing the people who you present to), I realised
1. How privileged I am not having to use Microsoft products (need to remember to charge extra, whenever asks me do a job that involves Microsoft products)
2. How anti-competitive Microsoft still is (you cannot login to Teams, MS web auth, in Chromium incognito mode, and it needs a ton of cookie domains whitelisted, even then it does not work)
3. How (and this is not Microsoft specific) difficult it is to not hand over personal data to companies that provide a utility-like service that they pretend is free (so everybody can pretend they are inclusive when they use these services)
4. An then literally a day later it turns out I am not paranoid not trusting Microsoft (and I guess other companies, big or small) with my data, because they are going to loose it sooner or later.
Edit: I just logged back into this MS account. They dont even use the phone number as "2FA". They only send you a text when you register, not for subsequent logins. It looks to me as they just collect it to make sure they really have some personal data to loose..
https://cybernews.com/news/stolen-data-of-500-million-linked...
Or is this a follow on with the rest of the data?
Either way, it's pretty shoddy that they haven't put a stop to it
one of.
This is insane.
So, in essence, this LinkedIn breach is also the same to me. Companies literally make you an attack target for hackers and don't even bother telling you. I don't know about you guys, I haven't received a single email from LinkedIn about this yet. How can we combat this dangerous behaviour of companies hiding their incompetencies from their customers? I thought of litigation and I almost sued Domino's, but who am I kidding? These cases could go on for years while they keep making people attack targets of hackers. And add to that corruption, and other variables. I don't know of what could be done to such companies. Boycotting helps, but imagine, more than half your customers don't know why the rest are boycotting and that's in your favor.