People put up public profiles to help them with finding jobs and connecting with colleagues. For many of us, this means LinkedIn. It's not uncommon for companies to request your LinkedIn profile URL when submitting a job application. Keeping your LinkedIn profile updated is also important. Everything from your job history, education history, skills, and a little personal information about you are available for all to see. All of this is harmless, right? After all, the company behind LinkedIn is one of the largest technology companies on the planet — Microsoft.
Not so fast. An October 2019 hack of an unsecured Elasticsearch server exposed the profiles of 1.2 billion people. If no one created profiles directly with Elasticsearch, where did all of this data come from? In short, aggregation services. These services scrape information from websites such as LinkedIn and dump it into a server such as the one at Elasticsearch. In this case, the two aggregators where People Data Labs (PDL) and Oxydata.
LinkedIn does allow users to control how much information they want to display publicly. But to get the most out of LinkedIn requires exposing much of a user's profile. Not exposing the profile defeats the purpose of using LinkedIn.
Because these aggregation services have no access to login information, user logins are still protected with LinkedIn. However, it isn't a far stretch that with such a detailed profile, a hacker can trace down the user's email address, which is often the one used as their login for banks. With half of the login already resolved, it's just a matter of figuring out the password. Depending on which security measures the user has taken, such a task may not be all that difficult. Because 83% of users use the same password across multiple websites, they'll be open to multiple security threats.
Securing accounts with good security practices is great, but making profile information public can introduce a new security threat. Thanks to unseen aggregation services, this is the new reality going into 2020.