Published on the 28/08/2019 | Written by Jonathan Cotton
With well over half a billion users and nine billion content impressions every month, LinkedIn has certainly got the footprint. So where’s the drama?…
Another day, another report that Facebook, or Twitter, or some other social platform has been breached by hackers, user data lost – or sold – or that someone, somewhere has found some terrible new use for the tech.
But rarely LinkedIn. As far as social media giants go, LinkedIn seems impervious to the type of scandals that seem to dog its less corporate focused brethren. How is it that Facebook and Twitter are so mired in controversy and LinkedIn so, err, not so?
Well first off, LinkedIn does have its own particular history of mishandled data, breached privacy and insecurity.
On LinkedIn every post and comment could conceivably be tied to an economic outcome for the user.
While it took a long time for the full story to come out, many of us still remember the 2012 hack that saw reports of 6.5 million LinkedIn user credentials stolen, followed by the revelation, years later, that in fact 170 million users – virtually every LinkedIn username and password – had been compromised.
LinkedIn had stored passwords without cryptographic salting (the insertion of random bits added to each password instance before hashing) and ultimately LinkedIn was forced to invalidate all passwords that hadn’t been changed since 2012.
It was poorly handled, with a quarter of a million users not even receiving a breach notification, with Russian hackers ultimately blamed.
“We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply,” said LinkedIn CISO Cory Scott in 2016.
“In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.”
The breach also triggered a (quickly dismissed) US$5 million class-action lawsuit against LinkedIn. The company ended up settling another suit out of court for a reported US$1.25 million.
And while that was the biggest, it’s not the only time LinkedIn security systems have been breached.
In 2017 a list of compromised user accounts, including paid-for premium accounts, started sending phishing messages to direct contacts (via private message) as well as external members via email.
The fraudulent messages included a link to both a shared document and a link that redirected the user to a Gmail-lookalike phishing site which asked the potential victim to log in. It was a subtle, well designed attack: the scam even ended by directing victims to a decoy document on wealth management from Wells Fargo.
“This kind of attack via social media is not new – we have seen hacked Skype or Facebook accounts send spam – but it reminds us of how much more difficult it is to block malicious activity when it comes from long standing and trusted user accounts, not to mention work acquaintances or relatives,” said Malwarebytes at the time.
“This also makes such attacks more credible to potential victims and can lead to a snowball effect when victims become purveyors of phishing links themselves.”
This year, LinkedIn has reportedly been the target of Iranian State hackers who masqueraded as a member of Cambridge University via a LinkedIn profile in an attempt to gain victims’ trust to open malicious documents. The phishing campaign was identified and shut down quickly, but certainly sets a troubling precedent.
“This activity is representative of Iran’s overarching efforts to collect strategic information of relevance to its national interests,” said US cybersecurity firm FireEye.
“With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns”.
And just in July it was discovered – accidentally by a recruiter – that a security loophole meant he could post job openings in the name of companies that he wasn’t associated with, even redirecting jobseekers off site if desired.
Such slip ups are increasingly a part of the social platform experience, and while the above does look bad on paper, LinkedIn does seem to have far fewer ‘accidents’ than its more socially-focused peers.
And privacy is of course, built in to the system to a far greater degree than, say Facebook: Imagine Facebook sending you an alert if someone so much as looks at your profile.
And none of this brings up the social differences between Facebook and LinkedIn, the former of which promises free expression in a range of communities (with little demand for user authentication) and the latter, in which every post and comment could conceivably be tied to an economic outcome for the user.
LinkedIn practically demands people play nice.
Will the day come when LinkedIn, like it’s world-dominating brethren Facebook and Twitter, becomes a politically polarised dumpster fire, hotbed of bad-intentioned disinformation or a platform with which to livestream atrocities to an unsuspecting public?
It’s anyone’s guess, but I’m guessing not. Unlike Facebook, LinkedIn has a very specific use case – to bring together “the world’s professionals to make them more productive and successful” – and most users would likely prefer that not to change.