LinkedIn files lawsuit to identify hackers

LinkedIn has filed a lawsuit aimed at identifying hackers who by-passed security measures to copy member data

LinkedIn has filed a lawsuit aimed at identifying hackers who used Amazon's cloud computing service to bypass security measures and copy data from hundreds of thousands of member profiles.

According to court documents, ten unidentified hackers set up faked LinkedIn accounts and ran automated bots on virtual computers rented from Amazon to harvest details from members’ profiles.

“This practice, known as 'scraping,' is explicitly barred by LinkedIn's User Agreement,” which also prohibits access to LinkedIn through any “technology or software” without the “express written consent of LinkedIn or its Members,” the complaint said.

Lawyers for LinkedIn, which claims that dealing with the hackers cost them $5,000, filed a complaint with the Northern District of California Court after the fake accounts were discovered, the Telegraph reports.

With more than 259 million professional members, LinkedIn holds a wealth of personal data that can be used by cyber criminals to carry out phishing attacks, identity theft, and similar scams.

By setting up a large number of fake accounts, the hackers were able to circumvent controls that limit the activity any single account can perform, enabling the bots to access thousands of profiles a day.

The hackers bypassed a security measure that is supposed to require users to complete bot-defeating CAPTCHA dialogues when potentially abusive activities are detected, reports Ars Technica.

They also bypassed restrictions that LinkedIn intended to impose through a robots.txt file, which indicate content may be indexed by automated web-crawling programs used by Google and other sites.

LinkedIn has disabled the fake accounts and implemented more technological safeguards to prevent further scraping.

Investigators found that the hackers accessed LinkedIn using a highly scalable cloud computing platform offered by Amazon Web Services called Amazon EC2.

This enabled the hackers to rent potentially hundreds of thousands of virtual computers to run their automated data-scraping software.

The goal of LinkedIn's lawsuit is to give lawyers the legal means to carry out "expedited discovery” to learn the identity of the hackers.

Security experts said the success of this will depend on whether the hackers who subscribed to the Amazon service used payment methods or IP addresses that can be traced.

Read more on Privacy and data protection