How much detail do you post on your own social media profile?
Name, place, age, position at work, marital status, face photo?
The amount of information people are comfortable sharing varies.
But most people accept that everything we share on our public profile page is in the public domain.
So, how would you feel if all your data was processed by a hacker and put into a monster spreadsheet of millions of people to be sold to the highest paid cybercriminal on the internet?
That's what a hacker who calls himself "Tom Liner" did last month "for fun", when he compiled a database of 700 million LinkedIn users from around the world, which is sold for around $5.000.
This incident and other similar cases of "snatching" on social networks have sparked a heated debate about whether or not the basic information we share publicly on our profiles should be better protected.
- How a hacker stole hundreds of thousands of dinars from my Facebook friends
- Why Sunburst is one of the biggest cyber attacks of all time
- Faucet Turned: How One of America's Largest Oil Pipelines Was Hacked
It was 8:57am UK time when the post appeared on the infamous hacking forum.
It was an unusually civilized hour for hackers, but of course we have no idea what time zone the hacker - who calls himself "Tom Liner" - lives in.
"Hi, I have 700 million Linkedin records for 2021," he wrote.
The post included a link to a sample of one million records and an invitation to other hackers to contact him privately and make offers for the database.
Happy customers
Understandably, the sale caused quite a stir in the hacking world, and Tom tells me he's selling the stake to "many" lucky buyers for around $5.000.
He won't say who his customers are or why they would want the data, but he says the data is likely to be used to further malicious hacking campaigns.
The news also sparked a discussion in the cybersecurity and privacy world about whether we should be concerned about this growing trend of mega-hauling.
These databases are not created by hacking social network servers or websites.
They are mainly made by extracting the surface of the platform aimed at the public using automatic programs to download all user data that is freely available.
In theory, most of the data being collected could be found by simply selecting individual social media profile pages. Although of course it would take more lifetimes to collect as much data as hackers are able to do.
So far, there have been three other major "draw" incidents:
- In April, a hacker sold another database with about 500 million records extracted from Linkedin.
- In the same week, another hacker released a database of 1,3 million Klabhaus profiles for free on the forum.
- Also in April, 533 million Facebook user data were collected from a mix of old and new draws before being shared on a hacker forum with a request for donations.
The hacker responsible for that Facebook database is: "Tom Leiner".
I spoke with Tom over the course of three weeks via messages on the Telegram app.
Some messages and even missed calls were sent in the middle of the night and others during business hours, so it was impossible to infer anything about his location.
The only clues to his normal life were when he said he couldn't talk on the phone while his wife was sleeping and that he had a day job and hacking was his "hobby".
"Very complex work"
Tom told me that he built a database of 700 million LinkedIn users using "almost the exact same technique" he used to build a Facebook list.
"It took me several months to do it. It was very complex. I had to hack Linkedin's API.
"If you submit too many requests for user data at the same time, the system will permanently ban you," he said.
API stands for "application programming interface", and most social networks sell API partnerships allowing other companies to access the platform's data, for example for marketing or building applications.
Privacy Shark, which first discovered the sale of the database, examined the free sample and found it contained full names, email addresses, gender, phone numbers and employment information.
"Not a violation"
Linkedin says its evidence suggests that Tom Leiner did not use their API, but confirmed that the data set "includes information pulled from Linkedin as well as data obtained from other sources."
They also add that "this is not a breach of Linkedin data and no private data of Linkedin members has been exposed."
Extracting data from Linkedin is a violation of our Terms of Service, and we are constantly working to protect our members' privacy."
In response to the April data leak, Facebook also dismissed the incident as an old leak.
However, the fact that hackers are making money from these databases worries some cyber experts.
- How hackers extorted a million dollars from an American university
- Robin Hood hackers: They give the stolen money to charity
- A hacker tried to poison drinking water in Florida
"Intricate detail stolen"
General director and founder of the SOS intelligence service, Amir Hadžipašić, raids hacker forums day and night.
As soon as news of Linkedin's 700 million user base spread, he and his team began analyzing the data.
"Such large-scale leaks are worrisome given the intricate details in some cases of this data, such as geographic locations or private mobile phone and email addresses."
"It will come as a surprise to most people that these API enrichment services have so much data," he said.
Tom Leiner says he knows his database is likely to be used for malicious attacks.
He says it "bothers" him, but didn't say why he's still going ahead with the extraction operation.
Amir says hackers who buy Linkedin data could use it to launch targeted hacking campaigns against high-level targets like company bosses, for example.
He also said that the value is having a huge number of active email addresses in the database that can be used to send mass phishing campaigns via emails.
"Data is public"
Cybersecurity expert Troy Hunt, who spends most of his working life pouring the contents of hacked databases onto his website haveibeenpwned.com, is less concerned about the recent draw incidents and says we have to accept them as part of sharing our public profile.
"These are definitely not violations. Most of this data is public anyway."
"However, in any case, the question should be asked how much of that information is publicly available by user choice and how much is not expected to be publicly available."
Troy agrees with Amir that controls over social networking APIs need to be improved and says we can't rule out these incidents.
"I don't agree with the position of Facebook and others, but I think that the answer 'this is not a problem', while technically correct, misses the sense of how important this user data is and thus perhaps diminishes the companies' own role in creating these databases."
Tom's actions will likely lead to him being sued by social media for intellectual property theft or copyright infringement.
But when asked if he was worried about being arrested, he said that no one would be able to find him, and our conversation ended with the words "enjoy the rest of the day".
Follow us on Facebook i Twitter. If you have a topic proposal for us, contact us at bbcnasrpskom@bbc.co.uk
Bonus video:
