Have 19.8 million LinkedIn email records just been leaked?

Two databases, containing a total of 19.8 million claimed LinkedIn email records, have just appeared on the dark web Breach Forums site. First reported by @DarkWebInformer on X/Twitter, the threat actor, USDoD, said that the leaked records included LinkedIn profile data, telephone numbers and other ‘confidential’ information.

Initially, a database of some 5.8 email records was leaked, followed by a further 14 million soon after. However, this does not mean that LinkedIn has suffered a data breach.

Indeed, a LinkedIn spokesperson told TechFinitive: “This is not a LinkedIn data breach, but we are looking into it as a part of our effort to keep the information our members choose to share on our platform from being used in ways they did not agree to.”

LinkedIn emails faked

In other words, this is a data scraping incident. But that’s not even the half of it. The LinkedIn leak saga gets really interesting following an analysis by Have I Been Pwned creator Troy Hunt.

Rather than something created by the exploitation of a vulnerability, the current leak is data scraped obtained by what Hunt refers to as “an unauthorised party in a fashion in which it was not intended to be made available”. Something Hunt, by the way, does still consider a breach. Or would do if the data were accurate.

However, Hunt determined that the dataset consisted of email addresses that were “mostly fabricated from a combination of first and last name” along with that publicly available profile data. This ties in with the LinkedIn statement of this not being a breach in the commonly accepted sense of the word.

Hunt was able to determine that millions of the email addresses listed, for example, followed a pattern of having the same alias on unrelated domains and following the same first name, lastname format. Someone had gone to a lot of trouble to fake email addresses using legitimate name and legitimate organisations.

Genuine threat

Hunt concludes that the dataset is likely an “aggregation of multiple sources” rather than simply being scraped from LinkedIn. All that said, there are genuine addresses in here, of genuine folk at genuine companies.

What the point of compiling this dataset was is harder to determine. The threat actor, USDoD, is not in need of clout. After all, this is the same person who took responsibility for publishing personal details of tens of thousands of FBI InfraGard members in 2022. There were no passwords in the LinkedIn dataset, and USDod wasn’t looking to sell the information as the databases were published in full.

LinkedIn, meanwhile, continues to fight against unauthorised data scrapers and referred TechFinitive to a statement from last year when the network won a legal battle to stop one company from scraping member profile data in violation of the User Agreement.