Why Facebook and LinkedIn’s data scraping fiascos are a huge security problem for their users
Subscribe to Data Sheet, a daily brief on the business of tech, delivered free to your inbox.
Every day, many millions of people use Facebook and LinkedIn to connect with their friends and coworkers, revealing information about themselves, like who they are dating and where they have worked.
But when people reveal details about their lives on these sites, they should realize that their information can easily spread to the open Internet. People who may not have the best intentions can collect users’ data.
That’s why security researchers say that the recent data scraping incidents at Facebook and LinkedIn are alarming. To refresh, the data of over 500 million Facebook users and 500 million LinkedIn users were recently revealed to have been collected and aggregated by bad actors who were selling the massive datasets to scammers.
While not technically considered data breaches, these huge scraping incidents pose a serious threat to consumers, multiple security researchers tell Fortune. Here’s what you need to know about data scraping.
A data scrape versus a data breach
In a typical data breach, a person without authorized access is able to penetrate an organization’s internal IT systems, gaining access to corporate databases and documents that potentially contain sensitive information, explains Zack Allen, the senior director of threat intelligence at security firm ZeroFOX. In essence, they are stealing from a company, akin to a robber who breaks into a store at night to steal money from the cash register.
There are multiple ways hackers can break into corporate computer systems, such as via the so-called SQL injection attack. (SQL, short for “structured language query,” refers to a programming language for interacting with databases.) In this type of attack, bad actors can force malicious code into online forms hosted on websites, which can cause the websites to potentially spit out sensitive user data, among other actions.
In a data scrape, however, attackers aren’t really hacking to gain access to IT systems or internal databases, per se. Instead, they use software tools that can automatically scan and collect the data that is already displayed on a website. Chris Vickery, the director of cyber risk research at security startup UpGuard, explains that when personal information is scraped from a public website, legally, “there is nothing wrong with that.”
He noted that in 2019, the United States Court of Appeals for the Ninth Circuit ruled that data scraping does not violate the Computer Fraud and Abuse Act (CFAA), the U.S.’s primary anti-hacking law. The case involved LinkedIn and the HR technology startup hiQ. As part of its business, hiQ scraped data from LinkedIn profiles in order to power its software, which was designed to predict employee churn, among other uses.
The startup alleged that LinkedIn sent the company cease-and-desist letters and restricted access to its service in order to stop the data scraping. As The National Law Review explained, the Ninth Circuit eventually determined that scraping data from LinkedIn does not violate the CFAA “because the LinkedIn computers are publicly accessible.” LinkedIn has since filed counterclaims against hiQ.
Still, LinkedIn’s terms of service indicate that the company doesn’t permit several kinds of data scraping tools on its site. If LinkedIn finds that an organization is using such software, “they risk having their accounts being restricted or shut down.”
Is data scraping a malicious act?
It’s not just bad actors who conduct data scraping. Many companies routinely collect information from the public Internet, such as marketers who may collect tweets referencing their company’s products so they can understand how people feel about them.
Journalists and researchers also use data scraping to extract information from publicly available databases or websites. The process can aid investigations and studies because it’s much faster than manually copying and pasting online text.
“I’m in support of journalists doing it, I’m in support of researchers doing it,” Allen said. “It comes down to what are the intentions.”
Criminals, however, can use data scraping techniques to create massive datasets that, when combined with other information, pose significant risks to consumers. These bad actors are essentially building dossiers on people, which other miscreants are willing to pay big bucks for.
What is the responsibility of a company to prevent data scraping?
Alon Gal, the chief technology officer of cybercrime intelligence firm Hudson Rock, told Fortune in a private message that the scraped Facebook dataset was originally “sold for several tens of thousands of dollars” until, eventually, it leaked to the Internet for free. Gal, who originally alerted the tech site Motherboard that someone was selling the leaked dataset, noted the significance of phone numbers appearing in the data dump.
“You basically have the phone number and public information of almost anyone who signed up to Facebook using a phone number, and a phone number in 2021 is a massive digital footprint that can be used to find information about you on the Internet,” Gal wrote.
A LinkedIn spokesperson told Fortune that the phone numbers found in the scraped LinkedIn dataset belonged to “another source.”
Gal, who declined to comment about LinkedIn, argued that Facebook’s latest security incident mishap “shouldn’t have even been considered a scraping incident” because the dataset contained “phone numbers which are private information that is not visible on any profile and was gathered due to an exploit in Facebook’s contact importer.”
Essentially, bad actors exploited a software flaw in Facebook’s tool that lets people connect with others. In doing so, they obtained the phone numbers of millions of users, making the incident more of a breach than a scrape, in Gal’s view. “Even individuals who set their phone numbers to private in Facebook’s privacy options were exposed in the leak,” he added.
Although companies like Facebook and LinkedIn likely have software that prevents data scraping, bad actors also have their own arsenal of tools and are constantly adapting their data scraping techniques to avoid detection, Allen said. For instance, some miscreants are using so-called residential proxies, which are Internet Protocol, or IP, addresses that phone companies give to homeowners to mask their true location. These proxies effectively shield where people are conducting their data scraping from, basically allowing them to fly under the radar of some corporate security tools, he said.
Ultimately, people need to realize that when they sign up to online platforms and social media services, “anything they post, any information that they share or provided upon signing up could be scraped/hacked and used against them in the future,” Gal wrote.
And companies that provide those services should be more forthcoming about that painful reality. Although there’s a certain level of individual responsibility on behalf of people to be aware that anything they post online could be accessed by third parties, “who are you to know your individual responsibility when connecting to a platform that says it is safe with a green lock?” Allen said.