What is scraping and how it was used to breach data at Facebook, LinkedIn

Facebook has previously filed cases against companies that have developed tools to scrape its user data; LinkedIn also said scraping violates its terms of service

The past week saw massive data breaches at two tech giants- Facebook and LinkedIn. While neither denied that customer data had been leaked, both said it wasn’t hacked from their systems, but had been scraped.

Facebook data of around 533 million users had leaked online, according to a report by Business Insider on April 3.

This includes the data of six million users from India, and includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.

India accounts for about 410 million Facebook users, among its largest markets.

In response, Facebook said, “It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.”

Similarly, regarding the data leak, first reported by CyberNews, 500 million LinkedIn data accounts had been leaked online, including name, address, email, phone number, workplace information and so on.

“We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies. It does include publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review,” LinkedIn said in a statement.

Rajshekhar Rajaharia, the cybersecurity researcher who first tweeted about an alleged data breach at MobiKwik, explained, “When a data breach like this happens, it leaves not just the company whose data is leaked vulnerable, but some of this data can be used to hack or access information and even money of individuals from other organisations.”

"For example, one can make a spoof call using a mobile number leaked in a data breach, call a payment firm or bank’s IVR, which will recognise the spoof number as registered. Secondly, most payment companies and banks ask for the last four digits of your debit or credit card to verify you. That number has also been leaked, linked to your number in the data breach. Hence, unscrupulous elements can access and even steal your financial data or money using the data from data breaches." he said.

What is scraping?

Infrastructure and website security firm Cloudflare explains what scraping means. Essentially, it is the process of using an application to extract valuable information from a website.

Contact scraping, which is what has happened at LinkedIn, is executed when the perpertrator 'scrapes' locations like an online employee directory. By doing so, “a scraper is able to aggregate contact details from bulk mailing lists, robo calls, or malicious social engineering attempts. This is one of the primary methods both spammers and scammers use to find new targets”.

Facebook has previously filed cases in the US and UK against app developers and companies that have developed tools to scrape its user data as it is against the tech firm’s terms of service.

LinkedIn also said scraping violates its terms of service. “Any misuse of our members’ data, such as scraping, violates LinkedIn terms of service. When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable”.

LinkedIn had a user base of 71 million in India in 2019, its second highest.