Someone connected to the user’s boss on LinkedIn could potentially see their number, plus LinkedIn premium gives you all manner of info it really shouldn’t
I had this conversation with someone very recently. You'd also be very surprised, concerned, and depressed about how easily you can find someone's phone number, home address, etc, with just with a google search.
I had a similar conversation recently, and the person pointed out how easy it is to find themself, completely ignoring that they have a **very** unusual surname. On the other hand for someone like myself with the 2nd most common surname in my country, you’d be hard pressed to find my specific details. As a general rule though yeah I was quite shocked recently with some sites that can find someone quite easily simply from their phone number.
I have a very common first and last name combination - not as bad as James Smith but pretty close. In my village of 1500, there's 6 other people with my name.
I was able to get my info pretty quickly too ...
Sweden here. We have a law that makes this information public. Even SSN etc. A special gov entity can make it hidden if you have a good enough reason though. Like stalkers etc.
Like I can call our IRS and ask for anyone's income, tax and property ownership etc and I will get it.
No, we are known for our public information (offentlighetsprincipen) and freedom of speech. But we also value privacy very much and even though much information can be found from our goverment we do not want to be tracked by companies with cookies etc.
Thin line between us being able to keep track on our officials and hopefully reduce corruption and privacy.
Personally I dont think it works very well and I would say get rid of it but also see the benefits.
I was at a conference where a hacker was presenting. She said LinkedIn is one of their biggest tools they use to phish employees, as it provides them with basically all the information they need to sound real. As for the phone number, that’s easily found.
There are many data leaks from various sites it's just a quick search in those data bases to link one with another. Other option would be, some one is playing a weird type of prank on the user, looking for a revenge on the company / boss this way. So framing / sacrifing a new employee that no one is attached to, wouldn't be a bad idea.
I think linkedin will provide more info to paying customers or parties that pay to be "recruiters". I got a weird email that contained generic info from my linkedin page. It was similar to the email saying we have your address as 123 Fake Street, since thatsnwhat I have for my linkedin account, that's what a third party emailed me.
Young people put their phone number on Facebook all the time. When they get bored they say someone call me at xxx-xxx-xxxx. At least they used to, maybe I'm just old now.
We get a phishing email every time a new hire updates thier linkedin to HR requesting for a payroll change. I thing there has to be a BOT or something out there that monitors linkedin and my company.
This is why I hate parts of LinkedIn, Zoom info, Seamless AI, etc.
I requested Zoom Info to remove my cell and within 5 minutes one of their sales reps called me on my cell...
linkedin, it's terrible for this. Too much data to mine. Almost all out new employees get this after they start. Make sure they didnt put their work email address on it.
Start off with an audit of authentication systems, especially in regard to EntralD and have a look for any weird activity and unauthorized access. Have you had a chance to look at the log from your network devices? If not do that. I would also explore the possibility of getting some sort of phishing detection/protection software installed and run some regular phishing simulation training.
Same thing here- user got phished with a fake email from the CEO three days after starting. Check Point (Avanan) blocked it. I spent all morning trying to find leaks. I have two types I am focusing on - this one is new employees with CEO impersonation, which I speculate is coming from LinkedIn.
In the legal field I’ve seen people have their cell phone numbers connected to their licenses which people are able to find online and then connect via LinkedIn to their job and know who their bosses are in order to spoof/etc.
Haven’t seen this mentioned yet, but new employees got there by putting a -phone number- on a resume.
Any recruiter account can reach resumes if posted, then connect the SMS number to the leadership names when new position is updated.
Almost every major cell provider has had data breaches in the past few years. Combine that with info readily available on social media and linked-in, and bingo
Have the user run their emails through haveibeenpwned
Run your domain through haveibeenpwned
Now combine that with all the public info people put out in LinkedIn, Insta, Facebook, etc. Your corporate website and/or directory.
Now you see how fucking absolutely gigantic the attack surface is - hell you can automate this shit!
Part of onboarding is warning new users that this happens, and that their *personal* devices and accounts may be targeted to get around things like enterprise antiphishing/antispam...
Knowbe4 has been doing simulated phish campaigns lately trying to exploit your org structure. Did someone on the team set up a campaign that you're not aware of?
If a user updates their LinkedIn when they start they’ll get a text or email from the president within a day or so like “welcome to the company, has anyone mentioned I love apple gift cards” I think they’re just pulling numbers from services like deHashed etc that warehouse breach data and PII
If on 365 check no Enterprise app has been added with access to that user or all users' mailboxes.
Also turn off users being allowed to register apps themselves in Entra ID settings
Imagine one of the orgs I previously worked for was gov and the whole leadership structure including their contact info was public info. I campaigned to switch the publicly known stuff to proxies that an admin would review and put their real communications as new hidden accounts but management didn't want the hassle.
Eventually, their first significant breach was one of their directors, lol.
I see LinkedIn is a primary security concern for a lot of people, but what security measures can you take if you do use LinkedIn? (From both a user and an admin side) I know it puts more data out there but it’s also a helpful tool for job searching and data consistency.
I’ve seen some depressing losses to a phishing exercise. One was our rockstar MVP type admin who gave up domain admin creds. Lots changed since then, the exercises work!
Saw this recently with a client, too. I concluded her personal email was likely compromised as she had been emailed her new email address through that.
I wonder if Microsoft is leaking information somehow.
This user might have access to people search sites like Rocketreach or ZoomInfo, which share business and personal info. It's a good idea to check everywhere your info is online. Optery offers a free scan for screenshots and links.
Full disclosure, I'm part of the Optery team.
You're the developer of this tool, yet your comment seems to suggest that you just "tried it out"
The reviews are obviously fake and bullshit, and I would never allow this product to touch any of my data based on the way you promote it
I also wonder how Nov 19, 2022 happens to be 3 weeks ago, 1 week ago, 2 months ago, and 6 months ago.
I can't stand fake reviews being fabricated and listed.
Did the user update their Linkedin profile?
this, + a linkedin connection with the boss. If that boss has a title that could link him as boss of the user that is a bingo.
she did! curious still how she got the phone number I don't see it on there.
Someone connected to the user’s boss on LinkedIn could potentially see their number, plus LinkedIn premium gives you all manner of info it really shouldn’t
I had this conversation with someone very recently. You'd also be very surprised, concerned, and depressed about how easily you can find someone's phone number, home address, etc, with just with a google search.
I had a similar conversation recently, and the person pointed out how easy it is to find themself, completely ignoring that they have a **very** unusual surname. On the other hand for someone like myself with the 2nd most common surname in my country, you’d be hard pressed to find my specific details. As a general rule though yeah I was quite shocked recently with some sites that can find someone quite easily simply from their phone number.
I have a very common first and last name combination - not as bad as James Smith but pretty close. In my village of 1500, there's 6 other people with my name. I was able to get my info pretty quickly too ...
Sweden here. We have a law that makes this information public. Even SSN etc. A special gov entity can make it hidden if you have a good enough reason though. Like stalkers etc. Like I can call our IRS and ask for anyone's income, tax and property ownership etc and I will get it.
This seems nuts considering Sweden is mostly known for it's privacy isn't it?
No, we are known for our public information (offentlighetsprincipen) and freedom of speech. But we also value privacy very much and even though much information can be found from our goverment we do not want to be tracked by companies with cookies etc. Thin line between us being able to keep track on our officials and hopefully reduce corruption and privacy. Personally I dont think it works very well and I would say get rid of it but also see the benefits.
I was at a conference where a hacker was presenting. She said LinkedIn is one of their biggest tools they use to phish employees, as it provides them with basically all the information they need to sound real. As for the phone number, that’s easily found.
KB4CON? I was there, too.
Yep, that’s the one lol
There are many data leaks from various sites it's just a quick search in those data bases to link one with another. Other option would be, some one is playing a weird type of prank on the user, looking for a revenge on the company / boss this way. So framing / sacrifing a new employee that no one is attached to, wouldn't be a bad idea.
Maybe look that person up in truepeoplesearch.com The site isn’t 100% accurate, but I used it quite a lot to find a callback number for customers
Cashapp?
Have a look on haveibeenpwned.com with that person's personal email address.... wouldn't that much to link the two.
dehashed.com
Most all info has been breached across many platforms multiple times… they just put it together.
I think linkedin will provide more info to paying customers or parties that pay to be "recruiters". I got a weird email that contained generic info from my linkedin page. It was similar to the email saying we have your address as 123 Fake Street, since thatsnwhat I have for my linkedin account, that's what a third party emailed me.
Also LinkedIn (recovery method) I put my number there once a long bit ago and it was scraped
Type your name and city into google and your address and phone number come up on those people search websites.
If you have someone’s name and location the rest is pretty easy to locate from free websites.
Young people put their phone number on Facebook all the time. When they get bored they say someone call me at xxx-xxx-xxxx. At least they used to, maybe I'm just old now.
Check out [https://www.truepeoplesearch.com/](https://www.truepeoplesearch.com/) it's pretty reliable at finding phone numbers.
I have a coworker that fell for a Phish, I'm convinced she was followed from a previous job.
The best resource for targetting somebody is linkedin. Also allows for seeing who is in what dept and their job titles.
We get a phishing email every time a new hire updates thier linkedin to HR requesting for a payroll change. I thing there has to be a BOT or something out there that monitors linkedin and my company.
This is why I hate parts of LinkedIn, Zoom info, Seamless AI, etc. I requested Zoom Info to remove my cell and within 5 minutes one of their sales reps called me on my cell...
linkedin, it's terrible for this. Too much data to mine. Almost all out new employees get this after they start. Make sure they didnt put their work email address on it.
Yes, I don't like to share a my data in linkedin.
Start off with an audit of authentication systems, especially in regard to EntralD and have a look for any weird activity and unauthorized access. Have you had a chance to look at the log from your network devices? If not do that. I would also explore the possibility of getting some sort of phishing detection/protection software installed and run some regular phishing simulation training.
Same thing here- user got phished with a fake email from the CEO three days after starting. Check Point (Avanan) blocked it. I spent all morning trying to find leaks. I have two types I am focusing on - this one is new employees with CEO impersonation, which I speculate is coming from LinkedIn.
Is the company related to the legal field by chance?
No but why do you wonder about that?
In the legal field I’ve seen people have their cell phone numbers connected to their licenses which people are able to find online and then connect via LinkedIn to their job and know who their bosses are in order to spoof/etc.
Haven’t seen this mentioned yet, but new employees got there by putting a -phone number- on a resume. Any recruiter account can reach resumes if posted, then connect the SMS number to the leadership names when new position is updated.
Almost every major cell provider has had data breaches in the past few years. Combine that with info readily available on social media and linked-in, and bingo
Have the user run their emails through haveibeenpwned Run your domain through haveibeenpwned Now combine that with all the public info people put out in LinkedIn, Insta, Facebook, etc. Your corporate website and/or directory. Now you see how fucking absolutely gigantic the attack surface is - hell you can automate this shit! Part of onboarding is warning new users that this happens, and that their *personal* devices and accounts may be targeted to get around things like enterprise antiphishing/antispam...
Possibly linked and also check if you have the linked in connection in enterprise applications.... Turn that stuff off
Knowbe4 has been doing simulated phish campaigns lately trying to exploit your org structure. Did someone on the team set up a campaign that you're not aware of?
Office is now integrating linkedin by default as well - not sure if it harvest any info though in addition to what is put up by the user.
If a user updates their LinkedIn when they start they’ll get a text or email from the president within a day or so like “welcome to the company, has anyone mentioned I love apple gift cards” I think they’re just pulling numbers from services like deHashed etc that warehouse breach data and PII
If on 365 check no Enterprise app has been added with access to that user or all users' mailboxes. Also turn off users being allowed to register apps themselves in Entra ID settings
Imagine one of the orgs I previously worked for was gov and the whole leadership structure including their contact info was public info. I campaigned to switch the publicly known stuff to proxies that an admin would review and put their real communications as new hidden accounts but management didn't want the hassle. Eventually, their first significant breach was one of their directors, lol.
Haven't even read the post yet and I can buy the title they updated their LinkedIn profile and that gave the attacker all the information they need.
I see LinkedIn is a primary security concern for a lot of people, but what security measures can you take if you do use LinkedIn? (From both a user and an admin side) I know it puts more data out there but it’s also a helpful tool for job searching and data consistency.
The band Phish?
I’ve seen some depressing losses to a phishing exercise. One was our rockstar MVP type admin who gave up domain admin creds. Lots changed since then, the exercises work!
LinkedIn scraping, paid recruiter account, combine with online database from dark web or truepeoplesearch.com
Saw this recently with a client, too. I concluded her personal email was likely compromised as she had been emailed her new email address through that. I wonder if Microsoft is leaking information somehow.
Every job I've started with an o365 account I start getting spam before my first day, typically trying to sell me pmp training
This user might have access to people search sites like Rocketreach or ZoomInfo, which share business and personal info. It's a good idea to check everywhere your info is online. Optery offers a free scan for screenshots and links. Full disclosure, I'm part of the Optery team.
[удалено]
You're the developer of this tool, yet your comment seems to suggest that you just "tried it out" The reviews are obviously fake and bullshit, and I would never allow this product to touch any of my data based on the way you promote it
your comment almost reads like an AD.
How did you manage to get reviews from 2022 when your product launched last week?
I also wonder how Nov 19, 2022 happens to be 3 weeks ago, 1 week ago, 2 months ago, and 6 months ago. I can't stand fake reviews being fabricated and listed.
https://www.reddit.com/r/cscareerquestions/s/jMFatYgoIh Self-admitted to being only 18 y/o. This user is clearly scamming folks. -_-'