How open are you on social media? And, more importantly, how open should you be?
Do you know exactly how much information you are giving away and what social media companies are doing with your data? Do you know who else has access? Do you know how secure your personal information is?
These might seem like basic questions, but all too often, the data we share on social media is more detailed and less secure than we might realize.
With everything from name and age to marital status and place of work, we put a lot of information out there. Everyone has a different comfort level about sharing data on social media platforms, but almost all of us share some of our lives and personal information with the world on one platform or another.
This data is in the public domain, and most of us are fine with that. But would you feel so comfortable if you knew that this same data was being compiled, collated, and analyzed by malicious actors online and sold to the highest bidders?
This is exactly what one hacker, known as ‘Tom Liner’ did, announcing his exploits on a hacking forum. He put together a database of over 700 million LinkedIn users, with information publicly available on their profiles, and was selling it for USD 5,000.
This is just one example of ‘social media scraping,’ the practice of pulling all available data from social media platforms. There have been many others in recent years, all of which have reignited a debate about privacy online and who is responsible for keeping the information we share on social media safe.
The most important takeaway from this latest incident is that this isn’t an example of traditional ‘hacking’, of breaking into secured networks and stealing information. This database was created from data that social media users share freely and publicly. The difference being that ‘Tom Liner’ used an automated program to scrape the data far faster than it would be humanly possible to do, allowing them to collate the data of millions of users.
This latest sale is the fourth ‘mega-scraping’ event this year. Over 500 million records, again from LinkedIn, were sold back in April, and similar databases of Clubhouse and Facebook records were sold in the same month.
The good news is that even with advanced automated technology, these databases are not easy to compile. ‘Tom Liner’ told the BBC that his latest LinkedIn database took several months to complete and required hacking the LinkedIn API to get around being blocked for multiple data requests.
Social media companies like Facebook and LinkedIn tend to wave away data scraping incidents as isolated occurrences, claiming that there is nothing to worry about in the long term. LinkedIn stated that they were “constantly working to ensure members’ privacy is protected," while Facebook claimed that the April event was the result of an old scrape that could not happen today.
But cybersecurity experts remain concerned, particularly as hackers appear to be profiting from social media data scraping. They say that the data that is actually available is not always what users might think is available and that APIs tend to provide more information than either the public can see or the users necessarily know about.
Reading the fine print before giving your consent on platforms like Facebook is always a problem. And cybersecurity experts believe that the platforms themselves have a duty to be more careful with the information their users share.
It is almost inevitable that these databases will be used for malicious purposes. We might think that the information we share on our Facebook page or LinkedIn feed is harmless, but when combined with other hacking techniques, or other dubiously acquired data, it can be powerful and dangerous - particularly in the wrong hands. Even just users’ email addresses insufficient volume can be valuable for mass email phishing attacks.
Social media platforms should be doing more to improve and secure their APIs in order to protect their users’ data, even if it is in the public domain. However, for the moment, the burden of protecting data online falls on the user. It is always worth thinking carefully about what you are sharing and how it might be used by bad actors in order to stay safe online.