LinkedIn Sues Crew Who Scraped Member Profiles Using Amazon Servers

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

LinkedIn wants compensation and a jury trial, saying it could determine who the attackers were by asking Amazon

LinkedIn has taken the fight to a number of unnamed individuals who allegedly scraped reams of member profiles using Amazon Web Services’ servers.

In a lawsuit revealed by the social network’s lawyers this week, LinkedIn claimed the perpetrators used bots to set up fake profiles, which took information from the site and stored it in Amazon EC2 systems. The scraping started in May 2013 and has continued to this year.

Amazon Web Services LandscapeThe bots were said to have viewed hundreds of thousands of member accounts every day. They managed to circumvent a number of LinkedIn protections, including Captcha tests and the FUSE system that is designed to limit the number of user actions and thereby detect automated activity.

LinkedIn security bypassed

They also got around the site’s ‘Sentinel’ security, which is designed to limit successive requests from IP addresses.

Not only have the defendants broken LinkedIn terms and services, they have broken the Computer Fraud and Abuse Act and the Digital Millenium Copyright Act, according to the filing.

“The Doe Defendants’ unlawful conduct threatens the LinkedIn platform in several ways. It undermines the integrity and effectiveness of LinkedIn’s professional network by polluting it with thousands of fake member profiles,” the filing read.

“Moreover by pilfering data from the LinkedIn site, the Doe Defendants threaten to degrade the value of LinkedIn’s Recruiter Product, in which LinkedIn has invested substantially over the years.”

LinkedIn said it had experienced increased strain and disruption on its network as a result of the the data scraping operation.

The company said it had been able to quickly remove the fake profiles, and had added extra technical capabilities to prevent similar activities. Yet LinkedIn noted that if the alleged scrapers were not stopped, they threatened to cause “ongoing and irreparable harm” to the company.

LinkedIn said it expects to be able to identify the perpetrators by making a legal request to Amazon Web Services, where the virtual machines used to scrape the data resided. It also wants a jury trial and monetary compensation.

Are you a security expert? Try our quiz!