Vulnerability in Massive API Scraping: 2021 LinkedIn Data Breach
Brandon M. Gibson, Spencer Townes, Daniel C. Lewis, Suman Bhunia
Abstract
This paper analyzes the data breach of Linkedin in the summer of 2021. An adversary utilized LinkedIn’s overly invasive API in order to scrape a massive amount of personal information data. Connecting this data with other API sources allowed the adversary to create a super-list of data that would be maliciously sold through the internet. The attack exposed 90% of users’ data in LinkedIn and forced the company to re-evaluate its API scheme. This huge amount of data containing personal information enabled other bad actors to launch social engineering attacks on targeted users. In addition to providing the detailed attack methodology, this paper inspects the impact of this breach and outlines possible defense strategies such as proper authentication and authorization, limiting the data scraping, and anomaly detection techniques.