Linked in data breach10/2/2023 ![]() Your business processes depend on digital assets, so you need to be aware of what are the critical processes and assets and have the appropriate protection embedded.In mid-2022, Chinese e-commerce giant Alibaba suffered a major data breach that contained customer data including: Simplified, ring-fencing your digital assets with an extra-large firewall won’t protect you. ![]() "The cyber resilience posture of a company will be tested, and the best way to be prepared for that is to be aware of what you have, how you use it and for what, gain control about how any change on the devices you use. "We are long past the time of ‘if it will happen’, and leaks like this will only shorten the time remaining in which a cybercriminal will attack the organization with a well prepared script," he adds. Corporations should – if not yet in place – implement the essential technical controls mandated by NIST and CIS now," Schrader says. For those LinkedIn users affected by it, the only option is to tighten their security, to raise the awareness once again, (battle the fatigue of employees). "Social media data is not only the ‘new oil’ for the mentioned giants, it is also gold for any cyber crime gang trying to use the details for phishing campaigns, CEO fraud, identity theft and quite a few other malicious ways, especially as LinkedIn sees itself as a professional network. Apparently, it is a bit bigger now for LinkedIn. Organizations should also ensure they have an appropriate API security strategy in place to protect their own employee and customer data from content scraping or other targeted attacks."ĭirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), says, "This scraping of data from LinkedIn is a reminder of that incident a few years back, where Facebook had the same problem with Cambridge Analytica. Depending on the organization’s risk tolerance, it may be advisable to continue monitoring employee consumption of such social media services from corporate networks and/or during business hours. An employer is limited in what they can enforce here since each individual is the owner of the account, and they have no oversight over LinkedIn data. ![]() A big deciding factor is whether the leaked data was business or personal use, but with LinkedIn it may be more of the former. "Some organizations may opt to advise their employees to reset passwords, enable 2FA, or verify privacy settings for any accounts that were part of the leaked data set. Isbitskii suggests individuals check sites like and to verify if their phone number or email address was part of this leaked data set or others. The social media platforms do monitor for many types of abuse including content scraping, but stealthy attackers can also gather data slowly over time to avoid detection." Scraped data sets have become the norm since we willingly share a lot of information with internet sites and social media platforms already, and this rich data is an attractive target for attackers. Some of us may still have identity monitoring as carryover from other breaches, or you get such service from your bank or credit card company. Email addresses are often used as user names in social media platforms, so an attacker already has one piece of the puzzle for targeting authentication mechanisms."Īnd, unfortunately, individuals are limited in what they can do here, Isbitski explains. "The usual best practice of closely watching for identity theft and fraudulent transactions applies. An attacker does not have explicit authentication material like passwords with this leaked data set, but they may be able to make educated guesses based on the various PII. They also leverage automation to grab the data at scale and aggregate it, making it useful for other attack techniques such as brute forcing, credential stuffing, phishing, social engineering, and spamming. Attackers use the same APIs that power web and mobile applications to extract the data. Isbitski adds, "We see many cases of content scraping attacks against organizations where data that is considered public or limited use suddenly becomes privacy impacting when it is pieced together or represents a significant chunk of the total user base.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |