Following its comments on Thursday concerning a Facebook data leak, Luxembourg's National Commission for Data Protection (Commission Nationale pour la Protection des Données – CNPD) has issued an additional statement over claims that data from millions of LinkedIn users has been scraped and is now for sale online.

The CNPD confirmed that it had been informed by its Irish counterpart, the Data Protection Commission (DPC), of an exchange between the latter and LinkedIn on Thursday concerning press articles indicating that user data from 500 million accounts has been listed for sale online. 

The CNPD has now asked its Irish counterpart to confirm the number of Luxembourg accounts affected by this incident.

The DPC confirmed that LinkedIn has started its analyses on the basis of a subset of data concerning two million accounts and currently estimates that the data has been downloaded via a technique called “scraping”. This is a technique in which a computer impersonates a legitimate user of an online service and automatically consults a very large amount of information in order to copy it.

At the current state of analysis, it is estimated that the data concerned by this leak are those which were “publicly available” on the network and, where appropriate, combined with data from other leaks. LinkedIn has suggested that the phone numbers included in the dataset came from an external source.

While waiting to know whether LinkedIn will proceed to individual information of the users concerned, the Irish authority has demanded that they set up a public point of contact for all users' questions and complaints. This contact point can be reached via email: More details have been requested from LinkedIn and will be expected later today by the Irish authority who will then share them with its counterparts.

Given the large number of accounts impacted, and while awaiting more precise information concerning Luxembourg users, the CNPD has reiterated the recommendations it issued yesterday in the context of the Facebook leak, namely:

  • assume that your account is more likely to be affected than not;
  • check as far as possible what potentially sensitive or intimate information about you is / was publicly accessible, both now and back in 2018;
  • be particularly aware of potential phishing attacks where someone refers to this information to ask you for more information, particularly passwords, mobile phone numbers and email addresses;
  • do not follow an external link to log into your Facebook account;
  • do not hesitate to contact the LinkedIn service directly as soon as you suspect questionable activity on your account.
  • in general, do not use a password for your Facebook account that you also use for other services, particularly for your email account.