Information belonging to more than 66 million individuals was discovered in an unprotected database, within anyone’s reach, if they knew where to look on the web. The records look like scraped data from LinkedIn profiles.
The cache includes personal details that can identify users and could help adversaries create phishing attacks that are more difficult to recognize.
According to Bob Diachenko, Director of Cyber Risk Research at Hacken, the trove was exposed via a MongoDB instance that could be accessed without authentication.
He found 66,147,856 unique records containing full name, personal or professional email address, user’s location details skills, phone number, and employment history. A link to the individual’s LinkedIn profile was also present.
Given the nature of these details and the lack of sensitive information like payment card data or passwords makes Diachenko assume that the data was scraped from publicly available LinkedIn profiles.
Initially, the collection was smaller
The researcher initially noticed the collection in October, in a repository called “database” that contained 49 million records. This was part of a larger discovery that saw over 120 million records exposed.
Apart from the seemingly LinkedIn profile details, there were two other databases. One was managed by a company in Florida with 22 million records that included the email addresses, names, and the area where a candidates sought a job. The other collection had 48 million entries with names, work email addresses, phone number and employee details.
In a conversation with BleepingComputer, Diachenko says that these MongoDB instances shared various fragments of a common dataset and emerged online between October and late November.
Check if your details were exposed
He was unable to determine the owner of the database but says that it is no longer online at the moment. This does not exclude the possibility of popping on the web again, though.
The scraped data is currently uploaded to the HaveIBeenPwned service which allows users to check if their personal information has been exposed.
Regarding the legality of web scraping for personal data, Diachenko says that it is legal to copy what is publicly available but it should not be used against the best interests of the owner, which is considered an offense.
“Since the data displayed on websites is meant for public consumption, it is legal to copy the information to a file on your personal computer. However, if that information is used in any way that goes against the best interests of the owner, then it is totally illegal,” he explains.
Because there is the risk of the personal data to be used against you, the researcher recommends sharing only the “bare minimum” when creating an online profile or account.