New Report: Unknown Data Scraper Breach

We have previously published reports on several data breaches that exposed personal data. One of the cases featured a MongoDB database that contained a large amount of scraped LinkedIn data, first identified as open to public access on October 5th.
As of today, the number of records related to that breach has increased as more similar data has since appeared online.

YOU’VE BEEN SCRAPED

In total, we can confirm there are now 66,147,856 unique records exposed in what seems to be different “chapters” of the same huge collection of data which include:

• A person’s full name, personal or professional email, person’s location details, skills, employment history – presumably, all taken from their LinkedIn profile.

The three-part database was hosted on different IPs and was exposed due to the lack of authentication in the case of the MongoDB instance.
We could not identify the owner of the MongoDB hosted database due to the lack of recognizable patterns in the dataset structure, however, data is now uploaded to the HaveIBeenPwnd system, so you can check whether your profile has been scrapped.
It did not contain any sensitive personal data such as credit card details or passwords but they did contain a lot of private information like an individual’s professional background, name, phone number, email address, address, and even their IP.
Read more: https://wp.hacken.io/research/industry-news-and-insights/how-sensitive-is-your-non-sensitive-data

Is Web Scraping Legal or Not?

To cut a long story short, data scraping without first obtaining the prior individual’s written consent or regarding the Terms of Service is illegal. However, it’s not that simple and the answer to this question can vary from case to case depending on how the extracted data will be used. It’s also important to consider how the information was obtained, i.e was it obtained manually or by using various software programmes. Since the data displayed on websites is meant for public consumption, it is legal to copy the information to a file on your personal computer. However, if that information is used in any way that goes against the best interests of the owner, then it is totally illegal.

How Not to Be Scraped: Basic Steps

Data scraping is an easy way to steal confidential data from web pages that have not taken the necessary steps to ensure sensitive data protection. There are things all of us can do to ensure our private information won’t be stolen by cybercriminals or scammers. Here are some of them:

• Try to provide only the bare minimum of required information when creating a new profile or account online.
• Analyze whether the data you plan on making public can be used to harm you in any way.
• Use different email addresses and passwords for your bank account than you do for your social network accounts.
• Consider any other private information you’ve already shared online and whether this information combined with the one you are making public now could be potentially risky.
• Always read the Terms of Service before you agree to them, checking what kind of your private information you agree to share with other websites or applications.
• Contact the website’s support to ensure that their sensitive data storage is reliable.

What is the GDPR?

When you hear the term ‘personal data’ then the GDPR or General Data Protection Regulation applies immediately. Enforced from 25th May 2018, the law provides data protection and privacy for all individuals within the European Union and European Economic Area as well as their confidential data exported outside these areas. It means that gathering, processing, selling and buying the private information of citizens from those areas is illegal without their prior written consent. However, the GDPR can also apply if a business is operating in the USA if it uses private information of European Union citizens.
Non-compliance and exposure of the GDPR sensitive data (name, address, phone number, email address, IP, job title, cookies etc.) can lead to significant fines of up to 20 million euros.

Conclusion

In conclusion, many aspects of our lives are now connected through the internet including social networks, cloud services, bank accounts, emails, online shops, etc. This means that a lot of your confidential information is potentially at risk. You may consider data such as email addresses, phone numbers or IP addresses to be less important and of lower risk than credit card details but when you think objectively about what your emails contain, the reality is that we often keep all our info in one place.
When you scan through your emails you will often see that they actually contain a lot of sensitive personal data such as contacts, tax forms, invoices, photos, reset passwords for every one of your accounts or even credit card PINs! We are often unaware that a malicious actor can easily gain access to all that. data and take advantage of it just by hacking an email address. Cybercriminals can use that private information to steal your identity and make financial transactions in your name, including taking out loans and opening bank accounts etc. By getting access to your calendar, planner or travel itinerary it gives them the inside knowledge of when your house might be empty, so they can break in or potentially do something even worse.
Don’t let the idea that this only happens to celebrities or important CEO’s mislead you, the reality is that one in four email accounts get hacked. With all that said, do you still think that your non-sensitive data is that non-sensitive?

How Hacken can Help

At Hacken, we take security extremely seriously and security checks are performed according to the highest standards. If you have any questions about the topic or need a consultation, feel free to learn more about the services Hacken offers and contact our team!