IFSM 304 Week 4 Discussion
In 2021, LinkedIn was in the spotlight for allowing 700M people who use their
service to be victims of a data breach (Braue, 2021). This data breach led to these people having their phone numbers, physical addresses, geolocation data, and inferred salaries exposed. This attack was not much of an attack at
all, but rather an abuse of policies set in place by the company. Before we dive into how to fix the problem, let us look at the problem itself and define a few things. This data was collected by Web Scrapping, which is a process of using an automated program to look for various information on a website and compose a file. The program uses an API, or application programming interface, which is a tool used to communicate between software. The "attackers" used a conjunction of these tools to parse LinkedIn.com to pull all the user's data.
You would think that there are policies and protections in place to prevent things link this from happening, and there is. Typically software like Captcha stops programs from scrapping information like this. Using insecurities within
the APIs, the scrapping program was able to overcome the challenge. Companies often share information with each other and this inlays the problem. The scrapper essentially pretended to be a part of the information-
sharing channel and was able to parse the data. To stop this in the future, LinkedIn can receive more secure APIs from the API provider.
Reference:
Braue, D. (n.d.). The LinkedIn data breach that wasn’t. Information Age. Retrieved February 4, 2024, from https://ia.acs.org.au/article/2021/the-
linkedin-data-breach-that-wasn-t.html
