LinkedIn Exposed Hundreds of Millions of Profiles and Millions of Passwords
LinkedIn faced multiple major security incidents involving both scraped profile data and compromised credentials. In one 2021 case, data from about 500 million accounts was reported online, followed by a larger dataset allegedly covering roughly 700 million profiles offered for sale on Raid Forums. Reports said the exposed information included public profile details such as names, job titles, locations, workplace email addresses, phone numbers, social links, dates of birth, and in some cases precise GPS data. LinkedIn said the 2021 incidents were not traditional intrusions but large-scale scraping of publicly accessible member information, potentially through abuse of its API, and maintained that no private member data was breached.
Earlier, LinkedIn confirmed that a separate 2012 compromise exposed about 6 to 6.5 million member passwords, prompting password invalidations, reset notices, and an FBI-linked investigation. Reporting said the leaked passwords were hashed but not salted, allowing many to be cracked more easily after being posted on a hacker site, and some decoded passwords were later published. The combined incidents raised persistent concerns that LinkedIn data could be weaponized for phishing, spam, identity theft, stalking, and account compromise, especially when profile information is paired with weakly protected credentials.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
LinkedIn says 700 million-record incident was scraping, not a breach
In response to the 700 million-profile dataset reports, LinkedIn maintained that no private member data was exposed and characterized the incident as large-scale scraping of publicly accessible information, possibly via its API. The company distinguished the event from a conventional hack or data breach.
Dataset from about 700 million LinkedIn profiles is offered for sale
By 2021-06-29, a larger dataset scraped from about 700 million LinkedIn profiles was reportedly being sold on RaidForums. The data allegedly included public profile details such as names, job titles, contact information, dates of birth, social links, and in some cases precise location data.
Scraped data from 500 million LinkedIn accounts is reported online
By 2021-04-08, reports said data from roughly 500 million LinkedIn accounts had been leaked online. The exposed information was described as scraped from LinkedIn profiles rather than obtained through a traditional intrusion.
US lawmakers call for action after LinkedIn password breach
On 2012-06-07, members of Congress including Representative Mary Bono Mack and Senator Pat Leahy publicly called for legislative action in response to the LinkedIn password leak. Their statements framed the incident as evidence of broader data protection and cybercrime issues.
LinkedIn says it is working with the FBI on the investigation
Following the password leak, LinkedIn said it was working with the FBI to investigate the theft and publication of member passwords. The company also said a small subset of the hashed passwords had already been decoded and published.
LinkedIn confirms password leak and resets affected accounts
LinkedIn confirmed that some of the leaked passwords matched member accounts and invalidated passwords for affected users. The company said impacted members would receive email instructions to reset their credentials and stated it was not aware of other member data being exposed.
LinkedIn passwords posted on a hacker site
On 2012-06-06, approximately 6.5 million hashed LinkedIn passwords were discovered posted on a hacker site. Reports indicated the passwords were unsalted hashes, making many easier to crack.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Linkedin: Linkedin working with FBI on password leak of its members - The Economic Times
economictimes.indiatimes.com
Open source700 million exposed in LinkedIn data scrape - what to do now | Tom's Guide
tomsguide.com
Open sourceAnother 500 million accounts have leaked online, and LinkedIn’s in the hot seat | The Verge
theverge.com
Open sourceLinkedIn Gets Hacked | Fox10tv.com
web.archive.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Massive Credential Exposure Reveals Billions of Stolen Login Records
Researchers and media reports disclosed enormous troves of exposed login data, including an unprotected 47.42 GB database containing **184,162,718** unique usernames and passwords tied to services such as Microsoft, Facebook, Google, Instagram, Snapchat, Discord, Netflix, PayPal, and government portals in 29 countries. Security researcher Jeremiah Fowler found the database on an unmanaged server with no password protection or encryption, and sample records included account types, website URLs, and plaintext passwords labeled `senha`. Fowler said multiple individuals confirmed the leaked credentials were genuine after he contacted them directly. The exposed records are believed to be linked to **infostealer malware** and broader malware-as-a-service collection operations, with subsequent reporting describing a far larger cache totaling **16 billion** credentials affecting major consumer platforms including Apple, Facebook, and Google. The disclosures raise immediate risks of credential stuffing, account takeover, phishing, fraud, and unauthorized access to corporate and government systems. Public access to the 184 million-record database was later restricted after responsible disclosure to the hosting provider, but the owner of the data remains unidentified.
May 25, 2026
Unsecured Infostealer Database Exposes 149M Usernames and Passwords
A publicly accessible database containing **~149.4 million unique usernames and passwords** (about **96GB** of data) was discovered online by security researcher **Jeremiah Fowler**. The trove included not just credential pairs but also associated site links, indicating it was designed to enable direct account access across many services; major concentrations included **Gmail (48M)**, **Facebook (17M)**, **Instagram (6.5M)**, **Yahoo (4M)**, **Netflix (3.4M)**, **Outlook (1.5M)**, **iCloud (900K)**, and **Binance (420K)**. The database was reportedly **not encrypted and not password-protected**, and it also contained credentials tied to **.gov domains** from multiple countries, raising risks of follow-on activity such as spearphishing, impersonation, and potential access attempts against government networks. Fowler reported the exposure to the hosting provider, and the database was subsequently **removed for terms-of-service violations**; Fowler said he could not determine who owned or operated the dataset. Reporting indicates the database likely aggregated logs from **infostealer malware**, which commonly uses techniques like **keylogging** to capture credentials from infected devices; Fowler noted the dataset continued to **grow over roughly a month** while he worked to reach the host. The hosting arrangement was described as a global provider using regional affiliates, with the exposed instance attributed to an affiliate in **Canada**, and the provider was not publicly named.
Mar 21, 2026
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
Mar 21, 2026