LinkedIn Confirms Cookie-Based Vulnerability Exploitation in Recent Security Incident LinkedIn recently disclosed a security incident involving the exploitation of a vulnerability tied to its cookie-based authentication system. The flaw, which could allow unauthorized access to user accounts, was leveraged by threat actors to bypass security measures and gain entry to sensitive data. The attack targeted both essential and non-essential cookies used by LinkedIn for service functionality, security, and personalized advertising. While the platform has not disclosed specific details on the number of affected users or the exact timeline, the incident underscores the risks associated with session management vulnerabilities in widely used authentication mechanisms. LinkedIn has since addressed the issue, reinforcing its security protocols and urging users to review their account activity. The company’s response highlights the ongoing challenges in balancing user experience, analytics, and robust cybersecurity defenses, particularly as attackers increasingly target authentication loopholes in high-profile platforms. The incident serves as a reminder of the persistent threats posed by cookie-based exploits in enterprise and social media environments.

Microsoft 365 Android Apps Exposed Billions to Silent Account Takeover via "FlagLeft" Vulnerability A critical vulnerability in Microsoft’s Android apps dubbed FlagLeft exposed billions of users to silent account takeovers by granting unauthorized access to Microsoft account tokens. The flaw, discovered in production code, stemmed from a single overlooked debug flag (`setIsDebugMode(true)`) left active in six major Microsoft 365 apps, including LinkedIn. The issue allowed any third-party app on the same Android device to request and receive valid Microsoft account tokens without user interaction, login prompts, or notifications. No consent or additional permissions were required, making the attack undetectable to end users. The vulnerability affected a vast user base, as the impacted apps collectively serve billions of Android devices. Microsoft has since addressed the flaw, but the incident underscores the risks of overlooked debug configurations in production environments. The root cause a simple yet consequential oversight highlights the importance of rigorous code review in security-critical applications.

LinkedIn Faces Data Scraping Incident Exposing User Information A recent data scraping incident has exposed publicly available LinkedIn user profiles, raising concerns over privacy and unauthorized data collection. The breach, detected in early 2024, involved third-party actors extracting profile information including names, job titles, workplace details, and contact data from millions of accounts. The incident highlights the risks of large-scale data scraping, where automated tools harvest publicly accessible information without direct platform compromise. While LinkedIn’s systems were not breached, the extracted data could be used for phishing, social engineering, or targeted advertising. The company has acknowledged the activity but emphasized that no private or sensitive data (such as passwords or financial information) was accessed. This event follows similar scraping incidents in recent years, underscoring the challenges platforms face in balancing open access with user privacy. LinkedIn has implemented measures to detect and mitigate scraping attempts, though the long-term effectiveness of such protections remains under scrutiny. The exposed data’s potential misuse continues to pose risks for individuals and organizations.

FIN6 Exploits Cloud Infrastructure in Sophisticated HR-Targeted Phishing Campaign The financially motivated cybercrime group FIN6 (also known as Skeleton Spider) is leveraging fake job applications and trusted cloud services to target human resources (HR) professionals in a highly evasive social engineering campaign. Researchers at DomainTools uncovered the operation, which combines professional networking platforms like LinkedIn and Indeed with malware-hosted cloud infrastructure to bypass traditional security defenses. ### How the Attack Works 1. Initial Contact – Attackers pose as job seekers on professional platforms, engaging recruiters to build rapport before sending phishing emails with malicious links. 2. Fake Resume Sites – Domains mimicking real applicant names (e.g., bobbyweisman[.]com, ryanberardi[.]com) are registered via GoDaddy’s anonymous services and hosted on AWS EC2 or S3, blending into legitimate cloud traffic. 3. Sophisticated Evasion – The sites employ traffic filtering to distinguish targets from security researchers, checking IP reputation, geolocation, OS, and browser fingerprints. Only residential Windows users bypass CAPTCHA walls to receive malicious ZIP files containing the More_eggs backdoor. 4. Malware Deployment – More_eggs, a modular JavaScript backdoor, operates in memory to evade detection, enabling credential theft, command execution, and follow-on attacks, including ransomware deployment. ### Why HR is a Prime Target HR teams frequently interact with external contacts and handle unsolicited communications, making them vulnerable to social engineering. The campaign exploits this trust, using realistic job lures to bypass email filters and endpoint security. FIN6’s shift from point-of-sale (POS) breaches to enterprise ransomware underscores its evolution toward higher-value targets. ### Cloud Abuse & Detection Challenges Attackers favor AWS and other cloud platforms due to: - Low-cost setup (free-tier abuse or compromised billing accounts). - Trusted IP ranges that evade enterprise network filters. - Scalability for hosting malicious infrastructure. The campaign highlights gaps in perimeter-based security, as traditional defenses struggle to detect threats embedded in legitimate cloud services. Security teams are advised to monitor for unusual traffic patterns and suspicious file types linked to cloud-hosted malware. ### AWS Response & Broader Implications An AWS spokesperson stated the company enforces terms prohibiting illegal use and acts swiftly on abuse reports. However, the incident raises questions about balancing cloud accessibility with security controls, particularly as threat actors increasingly exploit trusted infrastructure. FIN6’s operation demonstrates how low-complexity phishing, when paired with cloud evasion techniques, can outmaneuver even advanced detection tools—reinforcing the need for holistic security strategies that address both technical and human vulnerabilities.

Multiple Cross-Site Scripting (XSS) vulnerabilities in the VMware NSX network virtualization platform could allow malicious actors to inject and execute harmful code. The security bulletin published on June 4, 2025, details three distinct vulnerabilities affecting VMware NSX Manager UI, gateway firewall, and router port components, with CVSS base scores ranging from 5.9 to 7.5. The vulnerabilities include a stored XSS flaw in NSX Manager UI, a stored XSS in gateway firewall response pages, and a stored XSS in router port configurations. VMware has released patches addressing all three vulnerabilities across affected product lines, emphasizing the need for immediate updates to mitigate the risk of privilege escalation and persistent XSS attacks.

Lynda.com now LinkedIn Learning, was informing its consumers of a security breach. The firm claims that an unauthorised third party gained access to a database that contained user data. The company began informing its clientele that hackers had gained access to learning data, including attempted courses and contact information. The company's owner, LinkedIn, verified the issue and disclosed that, as a precaution, the passwords of 55,000 users had been reset. It is possible that 9.5 million users were affected in total. LinkedIn disclosed further steps to safeguard user accounts on Lynda.com in reaction to the data leak.

LinkedIn suffered a data breach incident in 2016 which exposed the email addresses and passwords of 117 million users. Hackers broke into the network, stole a database of password hashes, and posted some 6.5 million account credentials on a Russian password forum for the world to see. LinkedIn’s Chief Information Security Officer Cory Scott took the safety and security of members’ accounts seriously and offered protection tools such as email challenges and dual factor authentication.

The California Office of the Attorney General disclosed a data breach affecting LinkedIn Corporation in June 2016, stemming from an earlier 2012 incident that was rediscovered. The breach exposed 117 million user accounts, compromising email addresses, hashed passwords, and LinkedIn member IDs. Although passwords were invalidated for accounts created before 2012 as a mitigating measure, the incident highlighted significant vulnerabilities in LinkedIn’s historical security practices. The exposed data, while hashed, posed risks of credential stuffing, phishing, and unauthorized account access if decryption attempts succeeded. The breach did not involve financial or highly sensitive personal data (e.g., Social Security numbers), but the scale of exposed credentials—one of the largest at the time—undermined user trust and required widespread password resets. LinkedIn faced reputational damage and regulatory scrutiny, though no direct financial fraud or identity theft was reported as a direct consequence of this specific breach.