Linkedin and the Apple exclusive app, Clubhouse, have joined Facebook in the headlines over the past week with reports of members’ personal information being leaked.
In addition to sharing space in the cybersecurity headlines, Linkedin and Clubhouse have joined Facebook in pushing the narrative that user information was not part of a hack, rather a data scrape. The push to position the incidents as data scrapes seems two-fold, it makes the problem seem less severe (and to a point this is true) and also in some countries, the ability to define these as non-breaches, helps the companies avoid regulatory consequences.
So what’s the difference between the two? And is scraping really less problematic as the platforms infer?
Also referenced as a data leak, a data breach is defined as an incident that involves the unauthorized or illegal viewing, access or retrieval of data by an individual, application or service. It is a type of security breach specifically designed to steal and/or publish data to an unsecured or illegal location. Breaches can be accidental, but are more often intentional incidents led by hackers looking for private information such as financial records, passwords, social security numbers and health information. Some of the largest breaches include Equifax, Capital One and Marriott International.
A data scrape is defined as an incident where software is able to download public information from a website, like member information or even just the content. It’s like an automated browser that downloads public information. Public data can include names, phone numbers, emails, user IDs, location and linked social accounts.
Facebook, Linkedin and Clubhouse are promoting the concept that since only public information from their platforms were collected, technically no private information was accessed illegally, so there is no true breach. While personal information was collected and either sold or dumped on hacker forums, there was no sensitive or private data, and at the end of the day, I’d rather find out my full name and hometown were leaked versus my social security or credit card number.
Should I Be Concerned?
While there is merit to the idea that a data scrape is less severe than a data breach of sensitive information, the idea that a data scrape won’t be useful to hackers is wishful thinking. Hackers are smart and can make the most out of any information to attack, including:
Phishing and Spear Phishing
Armed with public information including names, employer information and network contacts, hackers can craft convincing phishing and spear phishing campaigns, which are one of the most popular entry attacks that cause full scale data breaches.
Despite the constant reminder of securing passwords, we know a large portion of end users simply don’t take developing strong credentials seriously. While data scrapes don’t include passwords, they include information that can help hackers piece together usernames and potential passwords.
Imagine that John Doe has his name scraped with his company from Linkedin, in many instances a hacker may simply google the company email nomenclature and use the most commonly hacked passwords to try and gain access to their systems. While John Doe’s email and password may not have been leaked, a little ingenuity and online search can quickly result in a full scale breach if his email is [email protected] and password is 123456 (before you laugh, this was the most common password of 2020).
What Should I Do?
Regardless of whether you discover you are part of a breach or scrape, we encourage you to take steps to secure your accounts, including changing passwords, exploring password management software and checking your credit through one of the three reporting agencies for any changes. You can also check if you have been part of a breach on the popular HaveIBeenPwned website at https://haveibeenpwned.com. This site tracks data breaches and can tell you if you have been part of any breach, including the Facebook one, by providing your phone number or email. Additionally, we encourage you to be mindful of what information you are making public on your online account and to maximize the privacy settings of each platform.
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.