Cognyte CTI Research Group
October 21, 2021

2021 LinkedIn breach: cybercriminals are the new headhunters

The fact that multiple databases of stolen records are shared for free on Dark Web platforms is not new. Stolen data can be used for various types of attacks, including spear-phishing, random malspam campaigns, etc. But a new, concerning data breach trend is emerging. Across Dark Web forums, services offer large-scale data filtered by categories, such as target country or profession. For threat actors, finding their next target has never been so easy. And the rest of us have never been so vulnerable.

While cybercriminals have traditionally focused on targeting corporations through ransomware attacks and theft, the landscape has shifted to one that steals and sells data – and information on the general public is the product being sold. In February 2021, a threat actor offered a database of over 500 million Facebook accounts, filtered by country, for sale on a Dark Web form. The fact that it was divided into countries received positive comments from multiple forum members due to the novel convenience it offered to the market for stolen data. This was a major move in the direction toward packaging and selling personal data stolen from social media companies.  

The 2021 LinkedIn data breach

In August 2021, another threat actor leaked millions of records of LinkedIn users, also filtered by country, on a Dark Web forum (the original database was leaked in June 2021). Moreover, during the same month, a third threat actor took it a step further, when he offered to sell stolen LinkedIn records filtered by profession, including LinkedIn accounts of 12.9 million IT personnel, 6.7 million HR professionals and 4.8 million finance executives. Another noteworthy breach of executive accounts took place in late 2020, when a threat actor offered to sell access to email accounts of hundreds of C-level executives, including financial directors.

The data breach consisted of records that included various fields, such as first name, last name, company name, designation, email ID (registered with LinkedIn), country and LinkedIn profile link. The threat actor also provided lists summarizing information pertaining to countries and professions represented. Further examination of the threat actor’s activity revealed that he was focusing on records from stolen databases. The fact that the threat actor divided his LinkedIn database specifically into human resources (HR), information technology (IT) and finance personnel may indicate that these employees are more likely to be targeted by cyber offenders.

HR departments are most often considered “hackers’ favorites” since they usually deal with sensitive organizational information, such as employees’ personally identifiable information (PII). They might also provide a good entry point to an organization’s network, since they usually receive emails with attachments from unknown sources, making them more susceptible to phishing and malspam attacks. Another attack method hackers use is to impersonate HR personnel and lure job seekers into sharing sensitive information or providing unauthorized access to the victim’s machine. The published database of stolen LinkedIn records may therefore be very useful, since it can help hackers take over HR personnel accounts.

In late 2020, the Centre for Cyber Security (CFCS) in Denmark published a threat assessment report focusing on cyber-attacks against HR departments. The report reviews different types of attacks targeting HR departments worldwide, including the 2015 cyber-attack against the Bangladesh central bank and the 2019 ransomware campaign targeting Germany via fake job applications.

In 2020, a UK government-owned mapping agency suffered a data breach after hackers allegedly compromised the email account of the organization’s Chief Financial Officer (CFO). The account was used to send payroll files to an external email address. This incident raises concerns of a trend toward hackers abusing records of millions of CFOs world to carry out similar targeted attacks or impersonating CFOs to carry out Business Email Compromise (BEC) attacks.

In addition, a report analyzing spear-phishing trends, published in July 2021, found that IT employees were among the top targets of email attacks using phishing URLs, after CFOs and other executives.

It is not new that HR, IT and finance personnel need to be highly alert and aware of different cyber threats, but the fact that hackers divide large-scale databases of billions of records to specific professions is a concerning development that should be monitored and carefully considered.

Want to learn how you can protect your organization?


Is your cybersecurity team curious about new trends among cybercriminals? Our 2020 Annual Cyber Intelligence Report has detailed insights on the state of the industry during the last year.

Ready to take your team to the next level? Book a demo with one of our product experts.

Enhance your Threat
Intelligence Analytics Today

Cognyte CTI Research Group

See more from this author