• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

The U.S. spent $30 billion to ditch textbooks for laptops and tablets: The result is the first generation less cognitively capable than their parents

2

Current price of oil as of July 13, 2026

3

Current price of silver as of Monday, July 13, 2026

1

The U.S. spent $30 billion to ditch textbooks for laptops and tablets: The result is the first generation less cognitively capable than their parents

2

Current price of oil as of July 13, 2026

3

Current price of silver as of Monday, July 13, 2026
TechCybersecurity

Why Facebook and LinkedIn’s data scraping fiascos are a huge security problem for their users

By
Jonathan Vanian
Jonathan Vanian
Down Arrow Button Icon
By
Jonathan Vanian
Jonathan Vanian
Down Arrow Button Icon
April 17, 2021, 9:30 AM ET
Nikolas Kokovlis—NurPhoto/Getty Images
Add Fortune on Google for similar content.

Subscribe to Data Sheet, a daily brief on the business of tech, delivered free to your inbox.

Every day, many millions of people use Facebook and LinkedIn to connect with their friends and coworkers, revealing information about themselves, like who they are dating and where they have worked. 

But when people reveal details about their lives on these sites, they should realize that their information can easily spread to the open Internet. People who may not have the best intentions can collect users’ data.

That’s why security researchers say that the recent data scraping incidents at Facebook and LinkedIn are alarming. To refresh, the data of over 500 million Facebook users and 500 million LinkedIn users were recently revealed to have been collected and aggregated by bad actors who were selling the massive datasets to scammers.

While not technically considered data breaches, these huge scraping incidents pose a serious threat to consumers, multiple security researchers tell Fortune. Here’s what you need to know about data scraping.

A data scrape versus a data breach

In a typical data breach, a person without authorized access is able to penetrate an organization’s internal IT systems, gaining access to corporate databases and documents that potentially contain sensitive information, explains Zack Allen, the senior director of threat intelligence at security firm ZeroFOX. In essence, they are stealing from a company, akin to a robber who breaks into a store at night to steal money from the cash register. 

There are multiple ways hackers can break into corporate computer systems, such as via the so-called SQL injection attack. (SQL, short for “structured language query,” refers to a programming language for interacting with databases.) In this type of attack, bad actors can force malicious code into online forms hosted on websites, which can cause the websites to potentially spit out sensitive user data, among other actions.

In a data scrape, however, attackers aren’t really hacking to gain access to IT systems or internal databases, per se. Instead, they use software tools that can automatically scan and collect the data that is already displayed on a website. Chris Vickery, the director of cyber risk research at security startup UpGuard, explains that when personal information is scraped from a public website, legally, “there is nothing wrong with that.”

He noted that in 2019, the United States Court of Appeals for the Ninth Circuit ruled that data scraping does not violate the Computer Fraud and Abuse Act (CFAA), the U.S.’s primary anti-hacking law. The case involved LinkedIn and the HR technology startup hiQ. As part of its business, hiQ scraped data from LinkedIn profiles in order to power its software, which was designed to predict employee churn, among other uses.

The startup alleged that LinkedIn sent the company cease-and-desist letters and restricted access to its service in order to stop the data scraping. As The National Law Review explained, the Ninth Circuit eventually determined that scraping data from LinkedIn does not violate the CFAA “because the LinkedIn computers are publicly accessible.” LinkedIn has since filed counterclaims against hiQ.

Still, LinkedIn’s terms of service indicate that the company doesn’t permit several kinds of data scraping tools on its site. If LinkedIn finds that an organization is using such software, “they risk having their accounts being restricted or shut down.”

Is data scraping a malicious act?

It’s not just bad actors who conduct data scraping. Many companies routinely collect information from the public Internet, such as marketers who may collect tweets referencing their company’s products so they can understand how people feel about them.

Journalists and researchers also use data scraping to extract information from publicly available databases or websites. The process can aid investigations and studies because it’s much faster than manually copying and pasting online text.

“I’m in support of journalists doing it, I’m in support of researchers doing it,” Allen said. “It comes down to what are the intentions.”

Criminals, however, can use data scraping techniques to create massive datasets that, when combined with other information, pose significant risks to consumers. These bad actors are essentially building dossiers on people, which other miscreants are willing to pay big bucks for.

What is the responsibility of a company to prevent data scraping?

Alon Gal, the chief technology officer of cybercrime intelligence firm Hudson Rock, told Fortune in a private message that the scraped Facebook dataset was originally “sold for several tens of thousands of dollars” until, eventually, it leaked to the Internet for free. Gal, who originally alerted the tech site Motherboard that someone was selling the leaked dataset, noted the significance of phone numbers appearing in the data dump.  

“You basically have the phone number and public information of almost anyone who signed up to Facebook using a phone number, and a phone number in 2021 is a massive digital footprint that can be used to find information about you on the Internet,” Gal wrote.

A LinkedIn spokesperson told Fortune that the phone numbers found in the scraped LinkedIn dataset belonged to “another source.”

Gal, who declined to comment about LinkedIn, argued that Facebook’s latest security incident mishap “shouldn’t have even been considered a scraping incident” because the dataset contained “phone numbers which are private information that is not visible on any profile and was gathered due to an exploit in Facebook’s contact importer.”

Essentially, bad actors exploited a software flaw in Facebook’s tool that lets people connect with others. In doing so, they obtained the phone numbers of millions of users, making the incident more of a breach than a scrape, in Gal’s view. “Even individuals who set their phone numbers to private in Facebook’s privacy options were exposed in the leak,” he added.

Although companies like Facebook and LinkedIn likely have software that prevents data scraping, bad actors also have their own arsenal of tools and are constantly adapting their data scraping techniques to avoid detection, Allen said. For instance, some miscreants are using so-called residential proxies, which are Internet Protocol, or IP, addresses that phone companies give to homeowners to mask their true location. These proxies effectively shield where people are conducting their data scraping from, basically allowing them to fly under the radar of some corporate security tools, he said.

Ultimately, people need to realize that when they sign up to online platforms and social media services, “anything they post, any information that they share or provided upon signing up could be scraped/hacked and used against them in the future,” Gal wrote.

And companies that provide those services should be more forthcoming about that painful reality. Although there’s a certain level of individual responsibility on behalf of people to be aware that anything they post online could be accessed by third parties, “who are you to know your individual responsibility when connecting to a platform that says it is safe with a green lock?” Allen said. 

About the Author
By Jonathan Vanian
LinkedIn iconTwitter icon

Jonathan Vanian is a former Fortune reporter. He covered business technology, cybersecurity, artificial intelligence, data privacy, and other topics.

See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Tech

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Tech

infra
EnergyData centers
Data centers have already hiked electricity prices on the public by $23 billion. Good luck clawing that back
By Theodore J. Kury and The ConversationJuly 14, 2026
4 minutes ago
Jony Ive (left), formerly with Apple and now with OpenAI, standing next to Laurene Powell Jobs, the widow of Apple founder Steve Jobs, at an event in 2022.
AIOpenAI
Stolen laptops, data breaches, secret moles, and recruiting-as-espionage. Here are the wildest claims in Apple’s lawsuit against OpenAI
By Emily ForliniJuly 13, 2026
11 hours ago
Elon Musk and Sam Altman are accusing each other of scamming investors as SpaceX and OpenAI jockey to lead AI revolution
AIBillionaires
Elon Musk and Sam Altman are accusing each other of scamming investors as SpaceX and OpenAI jockey to lead AI revolution
By Marco Quiroz-GutierrezJuly 13, 2026
11 hours ago
u
PoliticsSocial Media
Europe to social media platforms: make yourself safe for kids under 13, somehow
By Lorne Cook, Kelvin Chan and The Associated PressJuly 13, 2026
14 hours ago
Meta’s AI data center cost went from $10 billion to $50 billion in under 2 years—and split the town in two
Big TechMeta
Meta’s AI data center cost went from $10 billion to $50 billion in under 2 years—and split the town in two
By Sydney LakeJuly 13, 2026
14 hours ago
b
CommentaryWorld Cup
Columbia Business School professors: What the Balogun red card can teach us about AI and judgment
By Oded Netzer, Christopher Frank and Paul MagnoneJuly 13, 2026
15 hours ago

Most Popular

The U.S. spent $30 billion to ditch textbooks for laptops and tablets: The result is the first generation less cognitively capable than their parents
Innovation
The U.S. spent $30 billion to ditch textbooks for laptops and tablets: The result is the first generation less cognitively capable than their parents
By Sasha RogelbergJuly 12, 2026
2 days ago
Current price of oil as of July 13, 2026
Personal Finance
Current price of oil as of July 13, 2026
By Joseph HostetlerJuly 13, 2026
21 hours ago
Current price of silver as of Monday, July 13, 2026
Personal Finance
Current price of silver as of Monday, July 13, 2026
By Joseph HostetlerJuly 13, 2026
21 hours ago
Trump embraces Australian retirement system backed by Larry Fink
Personal Finance
Trump embraces Australian retirement system backed by Larry Fink
By Brianna Sosa and BloombergJuly 12, 2026
1 day ago
How Pete Hegseth's DEI order just put Scouting America's future at stake
North America
How Pete Hegseth's DEI order just put Scouting America's future at stake
By Seth T. Kannarr, Derek H. Alderman and The ConversationJuly 13, 2026
12 hours ago
Ex-PepsiCo CEO Indra Nooyi worked from midnight until 5 a.m. as a receptionist to pay for her Yale degree—and she says ‘respect went up’ because of it
Success
Ex-PepsiCo CEO Indra Nooyi worked from midnight until 5 a.m. as a receptionist to pay for her Yale degree—and she says ‘respect went up’ because of it
By Preston ForeJuly 6, 2026
8 days ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.