← All breach guides

LinkedIn Data Breach — Exercise Your GDPR Rights

LinkedIn has suffered multiple large-scale data incidents. The 2021 scraping breach exposed the data of approximately 700 million users — around 92% of LinkedIn's total user base at the time.

⚖️ Regulatory action: LinkedIn was fined €310 million by the Irish DPC in 2024 for unlawful processing of personal data for behavioural advertising.

What happened

2021 700 million users affected

Data scraped from LinkedIn profiles was published on a hacker forum, including names, email addresses, phone numbers, workplace information, and inferred salaries.

Data exposed:
  • Full names
  • Email addresses
  • Phone numbers
  • Workplace and job title
  • LinkedIn profile URLs
  • Inferred salaries
  • Location data
2016 117 million accounts affected

A 2012 breach — in which 117 million email and password combinations were stolen — was fully disclosed only in 2016 when the data appeared for sale online.

Data exposed:
  • Email addresses
  • Hashed passwords

What you can do

LinkedIn holds extensive professional and personal data. A GDPR access request reveals your full data profile, including inferred attributes, ad targeting categories, and any data shared with third parties.

You have two key rights under GDPR:

Generate your access request

This letter is pre-addressed to LinkedIn Ireland Unlimited Company, the official EU data controller for LinkedIn.

To: LinkedIn Ireland Unlimited Company
Wilton Place, Dublin 2, Ireland

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: