• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

26 Meta employees accuse Mark Zuckerberg of using AI to target 8,000 layoffs against workers on medical, parental or family leave

2

FedEx CEO says we are in the middle of the biggest supply chain shift he’s seen in 35 years: ‘We are the referendum’

3

He sold his last company to Palantir. Now he's betting $32 million that robots can fix construction's labor crisis

1

26 Meta employees accuse Mark Zuckerberg of using AI to target 8,000 layoffs against workers on medical, parental or family leave

2

FedEx CEO says we are in the middle of the biggest supply chain shift he’s seen in 35 years: ‘We are the referendum’

3

He sold his last company to Palantir. Now he's betting $32 million that robots can fix construction's labor crisis
TechCybersecurity

Why Facebook and LinkedIn’s data scraping fiascos are a huge security problem for their users

By
Jonathan Vanian
Jonathan Vanian
Down Arrow Button Icon
By
Jonathan Vanian
Jonathan Vanian
Down Arrow Button Icon
April 17, 2021, 9:30 AM ET
Nikolas Kokovlis—NurPhoto/Getty Images
Add Fortune on Google for similar content.

Subscribe to Data Sheet, a daily brief on the business of tech, delivered free to your inbox.

Every day, many millions of people use Facebook and LinkedIn to connect with their friends and coworkers, revealing information about themselves, like who they are dating and where they have worked. 

But when people reveal details about their lives on these sites, they should realize that their information can easily spread to the open Internet. People who may not have the best intentions can collect users’ data.

That’s why security researchers say that the recent data scraping incidents at Facebook and LinkedIn are alarming. To refresh, the data of over 500 million Facebook users and 500 million LinkedIn users were recently revealed to have been collected and aggregated by bad actors who were selling the massive datasets to scammers.

While not technically considered data breaches, these huge scraping incidents pose a serious threat to consumers, multiple security researchers tell Fortune. Here’s what you need to know about data scraping.

A data scrape versus a data breach

In a typical data breach, a person without authorized access is able to penetrate an organization’s internal IT systems, gaining access to corporate databases and documents that potentially contain sensitive information, explains Zack Allen, the senior director of threat intelligence at security firm ZeroFOX. In essence, they are stealing from a company, akin to a robber who breaks into a store at night to steal money from the cash register. 

There are multiple ways hackers can break into corporate computer systems, such as via the so-called SQL injection attack. (SQL, short for “structured language query,” refers to a programming language for interacting with databases.) In this type of attack, bad actors can force malicious code into online forms hosted on websites, which can cause the websites to potentially spit out sensitive user data, among other actions.

In a data scrape, however, attackers aren’t really hacking to gain access to IT systems or internal databases, per se. Instead, they use software tools that can automatically scan and collect the data that is already displayed on a website. Chris Vickery, the director of cyber risk research at security startup UpGuard, explains that when personal information is scraped from a public website, legally, “there is nothing wrong with that.”

He noted that in 2019, the United States Court of Appeals for the Ninth Circuit ruled that data scraping does not violate the Computer Fraud and Abuse Act (CFAA), the U.S.’s primary anti-hacking law. The case involved LinkedIn and the HR technology startup hiQ. As part of its business, hiQ scraped data from LinkedIn profiles in order to power its software, which was designed to predict employee churn, among other uses.

The startup alleged that LinkedIn sent the company cease-and-desist letters and restricted access to its service in order to stop the data scraping. As The National Law Review explained, the Ninth Circuit eventually determined that scraping data from LinkedIn does not violate the CFAA “because the LinkedIn computers are publicly accessible.” LinkedIn has since filed counterclaims against hiQ.

Still, LinkedIn’s terms of service indicate that the company doesn’t permit several kinds of data scraping tools on its site. If LinkedIn finds that an organization is using such software, “they risk having their accounts being restricted or shut down.”

Is data scraping a malicious act?

It’s not just bad actors who conduct data scraping. Many companies routinely collect information from the public Internet, such as marketers who may collect tweets referencing their company’s products so they can understand how people feel about them.

Journalists and researchers also use data scraping to extract information from publicly available databases or websites. The process can aid investigations and studies because it’s much faster than manually copying and pasting online text.

“I’m in support of journalists doing it, I’m in support of researchers doing it,” Allen said. “It comes down to what are the intentions.”

Criminals, however, can use data scraping techniques to create massive datasets that, when combined with other information, pose significant risks to consumers. These bad actors are essentially building dossiers on people, which other miscreants are willing to pay big bucks for.

What is the responsibility of a company to prevent data scraping?

Alon Gal, the chief technology officer of cybercrime intelligence firm Hudson Rock, told Fortune in a private message that the scraped Facebook dataset was originally “sold for several tens of thousands of dollars” until, eventually, it leaked to the Internet for free. Gal, who originally alerted the tech site Motherboard that someone was selling the leaked dataset, noted the significance of phone numbers appearing in the data dump.  

“You basically have the phone number and public information of almost anyone who signed up to Facebook using a phone number, and a phone number in 2021 is a massive digital footprint that can be used to find information about you on the Internet,” Gal wrote.

A LinkedIn spokesperson told Fortune that the phone numbers found in the scraped LinkedIn dataset belonged to “another source.”

Gal, who declined to comment about LinkedIn, argued that Facebook’s latest security incident mishap “shouldn’t have even been considered a scraping incident” because the dataset contained “phone numbers which are private information that is not visible on any profile and was gathered due to an exploit in Facebook’s contact importer.”

Essentially, bad actors exploited a software flaw in Facebook’s tool that lets people connect with others. In doing so, they obtained the phone numbers of millions of users, making the incident more of a breach than a scrape, in Gal’s view. “Even individuals who set their phone numbers to private in Facebook’s privacy options were exposed in the leak,” he added.

Although companies like Facebook and LinkedIn likely have software that prevents data scraping, bad actors also have their own arsenal of tools and are constantly adapting their data scraping techniques to avoid detection, Allen said. For instance, some miscreants are using so-called residential proxies, which are Internet Protocol, or IP, addresses that phone companies give to homeowners to mask their true location. These proxies effectively shield where people are conducting their data scraping from, basically allowing them to fly under the radar of some corporate security tools, he said.

Ultimately, people need to realize that when they sign up to online platforms and social media services, “anything they post, any information that they share or provided upon signing up could be scraped/hacked and used against them in the future,” Gal wrote.

And companies that provide those services should be more forthcoming about that painful reality. Although there’s a certain level of individual responsibility on behalf of people to be aware that anything they post online could be accessed by third parties, “who are you to know your individual responsibility when connecting to a platform that says it is safe with a green lock?” Allen said. 

About the Author
By Jonathan Vanian
LinkedIn iconTwitter icon

Jonathan Vanian is a former Fortune reporter. He covered business technology, cybersecurity, artificial intelligence, data privacy, and other topics.

See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Tech

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Tech

tony
Commentarydisruption
Genesys CEO: We can see firsthand how AI is changing — not replacing — work
By Tony BatesJuly 16, 2026
1 hour ago
h
AIRobots
‘Japan’s excellence is a philosophy, a way of life’: Jensen Huang wants robots to take care of an aging society with a labor shortage
By Yuri Kageyama and The Associated PressJuly 16, 2026
1 hour ago
Aiden, an AI bot cartoon, poses next to Nim Ravid.
Startups & VentureSequoia Capital
Meet the AI employee that convinced Sequoia to invest $45 million in Sable
By Lily Mae LazarusJuly 16, 2026
2 hours ago
Bunkerhill Health raises $55 million to put AI agents to work inside hospitals
NewslettersTerm Sheet
Bunkerhill Health raises $55 million to put AI agents to work inside hospitals
By Allie GarfinkleJuly 16, 2026
2 hours ago
Southeast Asia ‘has not really moved up the value chain’ and risks missing the AI boom, says Standard Chartered’s chief ASEAN economist
AsiaStandard Chartered
Southeast Asia ‘has not really moved up the value chain’ and risks missing the AI boom, says Standard Chartered’s chief ASEAN economist
By Angelica AngJuly 16, 2026
3 hours ago
Stripe co-founder and CEO Patrick Collison at Fortune Brainstorm Health 2022 in Los Angeles. (Photo: Stuart Isett/Fortune)
NewslettersFortune Tech
Why Stripe might want to acquire PayPal
By Andrew NuscaJuly 16, 2026
3 hours ago

Most Popular

26 Meta employees accuse Mark Zuckerberg of using AI to target 8,000 layoffs against workers on medical, parental or family leave
Law
26 Meta employees accuse Mark Zuckerberg of using AI to target 8,000 layoffs against workers on medical, parental or family leave
By Barbara Ortutay, Alexandra Olson and The Associated PressJuly 15, 2026
1 day ago
FedEx CEO says we are in the middle of the biggest supply chain shift he’s seen in 35 years: ‘We are the referendum’
C-Suite
FedEx CEO says we are in the middle of the biggest supply chain shift he’s seen in 35 years: ‘We are the referendum’
By Fortune EditorsJuly 15, 2026
23 hours ago
He sold his last company to Palantir. Now he's betting $32 million that robots can fix construction's labor crisis
Innovation
He sold his last company to Palantir. Now he's betting $32 million that robots can fix construction's labor crisis
By Lily Mae LazarusJuly 15, 2026
1 day ago
Jamie Dimon understands why people are anti-rich: 'We have, in fact, left the lower-income folks behind' and 'that's kind of annoying'
Economy
Jamie Dimon understands why people are anti-rich: 'We have, in fact, left the lower-income folks behind' and 'that's kind of annoying'
By Eleanor PringleJuly 15, 2026
1 day ago
MacKenzie Scott, Melinda French Gates, and Lauren Sánchez Bezos are rewriting the rules of billionaire giving—one quietly, one strategically, one very publicly
Newsletters
MacKenzie Scott, Melinda French Gates, and Lauren Sánchez Bezos are rewriting the rules of billionaire giving—one quietly, one strategically, one very publicly
By Sydney LakeJuly 14, 2026
2 days ago
After donating $48 billion to the Gates Foundation, Warren Buffett is quietly ending one of the biggest philanthropic relationships in history
North America
After donating $48 billion to the Gates Foundation, Warren Buffett is quietly ending one of the biggest philanthropic relationships in history
By Marco Quiroz-GutierrezJuly 14, 2026
2 days ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.