Skip to main content

LinkedIn brings down lawsuit on fake account scammers

LinkedIn this week filed suit against scammers who created thousands of fake profiles in order to scrape data about existing LinkedIn members, in violation of the social network's policies.

Starting in May 2013, these people bypassed LinkedIn's security protocols in order to troll the site for data. Trouble is, LinkedIn doesn't yet know their exact identities. But the company does know that the individuals used Amazon Web Services, so LinkedIn plans to ask Amazon to turn over any data it has on those tied to the accounts identified by LinkedIn.

"We're a members-first organisation and we feel we have a responsibility to protect the control that our members have over the information they put on LinkedIn," LinkedIn said in a statement.

Over the past few months, the scammers circumvented LinkedIn security measures like FUSE (which limits account activity), Sentinel (which limits successive requests from the same IP address), UCV (Captchas), and the robots.txt protocol (crawling). They used an automated process to create thousands of fake LinkedIn profiles, which in turn allowed them to view hundreds of thousands of legitimate member profiles per day and scrape those profiles for data.

LinkedIn's terms of use specifically ban "scraping, spidering, crawling, or other technology or software used to access data without the express written consent of LinkedIn or its members." Technically, the site also only allows each member to have one profile and requires that the data be accurate, but that's harder to police.

LinkedIn discovered the scam when it noticed that thousands of fake member accounts had collectively viewed many member profiles in a short period of time. The fake accounts, meanwhile, demonstrated "clear patterns of automation."

LinkedIn has since disabled those accounts, and said it bolstered its security, but wants to go after the scammers because fake profiles reduce the accuracy and integrity of the information on LinkedIn. The effort, meanwhile, put "significant strain" on LinkedIn's servers.

LinkedIn said the scheme violates the Computer Fraud and Abuse Act, the California Comprehensive Computer Access and Fraud Act, and the DMCA. It has requested a jury trial.

In May 2013, LinkedIn enabled two-factor authentication for all of its users.