LinkedIn Breach Incident Score: Analysis & Impact (LIN1773246240)

In this Rankiteo incident briefing, we review the LinkedIn breach identified under incident ID LIN1773246240.

The analysis begins with a detailed overview of LinkedIn's information like the linkedin page: https://www.linkedin.com/company/linkedin, the number of followers: 33387235, the industry type: Software Development and the number of employees: 23908 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 826 and after the incident was 796 with a difference of -30 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on LinkedIn and their customers.

On 01 January 2024, LinkedIn disclosed Data Scraping issues under the banner "LinkedIn Data Scraping Incident Exposing User Information".

A recent data scraping incident has exposed publicly available LinkedIn user profiles, raising concerns over privacy and unauthorized data collection.

The disruption is felt across the environment, and exposing Names, job titles, workplace details, contact data, with nearly Millions records at risk.

In response, moved swiftly to contain the threat with measures like Implemented measures to detect and mitigate scraping attempts, and stakeholders are being briefed through Acknowledged the activity and emphasized no private or sensitive data was accessed.

The case underscores how teams are taking away lessons such as Challenges platforms face in balancing open access with user privacy.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Active Scanning (T1595) with moderate to high confidence (80%), supported by evidence indicating automated scraping tools harvest publicly accessible information and Exploit Public-Facing Application (T1190) with moderate confidence (60%), supported by evidence indicating publicly accessible profile information exploited via scraping. Under the Collection tactic, the analysis identified Data from Cloud Storage (T1530) with high confidence (90%), supported by evidence indicating profile information including names, job titles, workplace details extracted and Data from Information Repositories (T1213) with moderate to high confidence (80%), supported by evidence indicating third-party actors extracting profile information from millions of accounts. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with moderate to high confidence (70%), supported by evidence indicating data scraping incident has exposed publicly available LinkedIn user profiles and Automated Exfiltration (T1020) with moderate to high confidence (80%), supported by evidence indicating automated scraping tools harvest publicly accessible information. Under the Impact tactic, the analysis identified Defacement (T1491) with moderate confidence (50%), supported by evidence indicating raising concerns over privacy and unauthorized data collection and Disk Wipe (T1561) with lower confidence (10%), supported by evidence indicating no evidence of data destruction or encryption. Under the Credential Access tactic, the analysis identified Gather Victim Identity Information (T1589) with high confidence (90%), supported by evidence indicating names, job titles, workplace details, and contact data exposed. Under the Reconnaissance tactic, the analysis identified Gather Victim Network Information (T1590) with moderate to high confidence (70%), supported by evidence indicating workplace details and contact data extracted for phishing/social engineering and Gather Victim Identity Information: Credentials (T1589.001) with moderate confidence (60%), supported by evidence indicating contact data could be used for phishing or targeted advertising. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.