DEV Community

Cover image for Don't become a victim of PII Harvesting
Suvin Nimnaka
Suvin Nimnaka

Posted on

Don't become a victim of PII Harvesting

Disclaimer:
This post is for educational and security awareness purposes only. The techniques described were performed as a proof-of-concept to demonstrate vulnerabilities in how personal information is shared on social media platforms. No data was collected, stored, or misused in any way. The goal is to help job seekers protect their personal information online. Please do not use these techniques for malicious purposes or to harvest data without consent. Unauthorized data collection may violate platform terms of service and applicable privacy laws.

I was scrolling through LinkedIn earlier today when I came across a job posting that looked completely legitimate at first glance.

Backend Developer position. Remote work. Open to freshers.

Suspicious LinkedIn Post

Then I saw this line:

"Comment your #email_ID and we'll send the assignment link within 24 hours."

The post already had 35+ comments. People were dropping their personal email addresses in plain view.

The Red flags

I clicked on the poster's profile to learn more about the company and the recruiter's background.

Their About section was blank. No company listed. Their post history showed random photos of "onboarding kits" from various tech companies, but nothing connecting them to an actual organization.

Empty About Page

Meanwhile, real people were publicly exposing their contact information.

Maybe it was a legitimate post. Maybe it wasn't. I had no solid proof either way. But something felt off. Empty profile, no company affiliation, dozens of people publicly exposing their emails in the comments.

That's when a different question hit me. Even if this poster had good intentions, how easy would it be for someone else to harvest all these publicly visible emails?

I decided to find out.

Let's write some code

I wanted to understand the technical barrier to exploiting this kind of post. Turns out, it's almost non-existent.

I opened ChatGPT and typed: "Write a Chrome extension that extracts email addresses from LinkedIn post comments."

One minute later, I had working code.

I didn't need to understand the LinkedIn DOM structure. I didn't need to write regex patterns for email validation. I didn't need to figure out Chrome extension manifests. The AI handled all of it.

Copy, paste, load unpacked extension in Chrome. Done.

Email Extractor Extension

I clicked on the malicious job post, opened the extension, hit "Extract." Within seconds, I had a clean list of 9 email addresses that people had publicly commented.

Extracted Emails

No LinkedIn API access needed. No authentication bypass. No rate limiting to circumvent. No technical expertise required.

The entire process, from idea to harvested emails, took under 3 minutes. With a little more time playing with the prompt, I would've gotten every single email extracted from the post.

Now imagine this: multiple posts, multiple sock-puppet accounts, automated monitoring with Puppeteer or Selenium running on a cheap VPS. You're looking at thousands of emails harvested daily with basically zero effort or infrastructure cost.

The scary part? I'm not even a security researcher. I'm just someone who knows how to use ChatGPT. And if I can do this in 3 minutes, imagine what someone with actual malicious intent can do.

What happens after emails are harvested

Let me be very clear here. I collected nothing beyond the proof of concept. But bad actors absolutely do, and the downstream attacks are more sophisticated than most people realize. I'll explain a couple of them.

Context-aware spear phishing

When an attacker knows you commented on a backend developer posting, they can craft targeted messages:

"Thanks for your interest in the Senior Backend Engineer role. We've reviewed your background and would like to move forward. Please access the technical assessment here: [malicious link]"

This isn't generic spam. It references your actual behavior and interests. The click-through rate on context-aware phishing is 5-10x higher than traditional campaigns.

Malicious payload delivery

That "assignment link" the recruiter will be sending could resolve to many things.

  • Phishing pages that clone Google Docs or GitHub's login interface
  • ZIP archives containing RATs (Remote Access Trojans)
  • Fake repositories with malicious dependencies buried in package.json or requirements.txt

Developers are especially vulnerable because our workflow involves downloading and executing code regularly. We're trained to git clone and npm install without suspicion.

Long-term dataset enrichment

Harvested emails get added to larger databases for future use. Your email from this LinkedIn comment can be correlated with many other information coming from various diffierent sources such as,

  • Your GitHub activity (public repos, commit patterns, starred projects)
  • Breach databases from previous incidents (haveibeenpwned, leaked credentials)
  • OSINT from Twitter, personal blogs, conference talks
  • Account enumeration across AWS, Azure, Digital Ocean

This creates a persistent digital footprint. Attackers can revisit this data months or years later, long after you've forgotten about that one LinkedIn comment.

Automated account enumeration

Once they have your email, attackers run automated checks to see where else you have accounts. Tools like holehe or custom scripts can enumerate which cloud providers you use (AWS, GCP, Azure), your presence on GitHub, GitLab, Bitbucket, and developer tool accounts like npm, PyPI, or Docker Hub. Each confirmed account becomes another potential attack surface.

Why does this work so well for the attackers?

This works so well because LinkedIn's "professional environment" creates a false sense of security where people assume bad actors wouldn't operate where identities are theoretically verifiable. Job seekers, especially early-career developers, are economically vulnerable and when opportunity appears, critical evaluation goes out the window. The technical barrier for pulling off something like this is now close to zero. You don't need programming expertise anymore when you can ask an LLM to generate the code in 30 seconds. And it scales exponentially. One post harvests dozens of emails, ten posts hundreds, automated monitoring across multiple sock-puppet accounts captures thousands daily.

So, how to protect yourself from being a victim?

  1. Never post personal information publicly

Use LinkedIn's DM feature. Real recruiters understand this. If someone insists on public email drops, disengage immediately.

  1. Validate the poster thoroughly

Before engaging with a recruitment post,

  • Verify company affiliation (check if the domain exists and has a careers page)
  • Look for consistent employment history
  • Check if actual employees from that company interact with the post
  • Search the company's official job board

Empty profiles + urgency = big red flags.

  1. Use platform-provided channels

Most of the time, legitimate companies have:

  • Branded career portals with proper TLS certificates (served over HTTPS)
  • Corporate email domains (not free providers like Gmail)
  • Application tracking systems (Greenhouse, Lever, Workday or LinkedIn Quick Apply)

If they're running hiring through comment sections, they're either fake or incompetent. Neither is worth your time.

  1. Compartmentalize your identity

Use dedicated email addresses for job applications. Services like SimpleLogin or AnonAddy let you create unique aliases per application. If one gets compromised, you know exactly where the leak happened, and you can kill that alias without affecting your main inbox.

Think of it as the principle of least privilege, applied to your digital identity.

Bottom line

Look, I get it. We all want jobs. But posting your email in a public LinkedIn comment is like pulling down your pants in a crowded mall and yelling "I'm here for the interview!" Sure, maybe a recruiter sees you. But so does everyone else, including the guy in the corner taking notes for all the wrong reasons.

This isn't about paranoia. LinkedIn remains valuable for networking and career growth. But recognize that modern social engineering doesn't require technical sophistication. Attackers just don't exploit software vulnerabilities, They exploit human psychology in professional contexts.

Your email is PII. It can be a primary key in multiple databases. It's the recovery mechanism for most of your accounts. Treat it with the same caution you'd treat your home address or SSN.

Next time you see "Drop your email in the comments," pause and evaluate. Is this legitimate, or is someone harvesting data?

Your inbox security depends on that split-second decision. Stay skeptical. Verify everything. And keep your PII out of public spaces as much as you can.

Top comments (0)