Source: HackerOne report #3604288 β€” Access to Deactivated LinkedIn Company Pages via Competitor Analytics API

Let me tell you a little story.

A few weeks ago, someone on HackerOne (LinkedIn's bug bounty platform) found something… interesting.

They discovered that if you had access to LinkedIn's Competitor Analytics API (which is meant for legitimate business users to spy on their rivals β€” in a legal way, of course), you could actually pull analytics data from company pages that were already dead and buried.

That's right.

Deactivated. Gone. No longer existent. RIP pages.

But the API didn't care. It kept serving their secrets.

πŸ€” Wait β€” what's the big deal?

Imagine you shut down your company's LinkedIn page. You hit delete. You move on.

But a competitor β€” or just a curious rando with an API key β€” could still access:

  • Engagement metrics (likes, comments, shares)
  • Follower growth history
  • Post performance data
  • Maybe even aggregated member interaction info

It's like someone keeping a diary of your old house after you've moved out β€” and leaving the key under the mat for anyone with a badge.

πŸ” The technical mumbo-jumbo (made simple)

This is a classic IDOR vulnerability.

That stands for Insecure Direct Object Reference β€” fancy talk for:

"The API uses a direct ID to fetch data, but forgets to check if the user is still allowed to see it."

In this case:

  1. You call the API with a company_id parameter.
  2. The API checks: "Does this company exist?" βœ…
  3. But it doesn't check: "Is this company still active?" ❌

So a deactivated page β€” with ID 67890 β€” still responds like a zombie.

πŸ“… Timeline (short & sweet)

Date Event March 14, 2026 Vulnerability reported to LinkedIn via HackerOne March 24, 2026 Public disclosure (after fix) Status Resolved β€” LinkedIn patched it

No CVE ID yet, and no word on bounty amount. But respect to the hunter who found it.

🧠 Why this matters (even if it's "just Medium" risk)

LinkedIn classified this as Medium severity (5.3). Here's why it's still a problem:

Risk Real-world impact Data leakage Historical analytics of dead companies can reveal strategy, growth, or failure patterns Privacy violation Member interactions (comments, reactions) may still be accessible Unfair advantage Competitors can mine data from pages that should be off-limits Compliance headaches GDPR and other privacy laws don't like "oops, we let anyone see that"

So yeah β€” not critical, but definitely not cool.

πŸ›‘οΈ What LinkedIn should have done (and probably does now)

javascript

// Before (vulnerable)
if (companyExists(companyId)) {
  return getAnalytics(companyId);
}
// After (fixed)
if (companyExists(companyId) && companyIsActive(companyId)) {
  return getAnalytics(companyId);
}
throw new Error("Page not available");

Also: validate user permissions even after the object exists. And check status flags. And maybe don't serve dead people's mail.

😬 But wait β€” LinkedIn has other privacy issues too

This isn't LinkedIn's only oopsie.

Around the same time, there were reports that LinkedIn was scanning browser extensions without clear permission β€” looking for job-search tools, competitor trackers, even extensions that might reveal religion or health conditions. (Source: Hotdry Blog / The Coli forums)

So this API bug is part of a larger pattern:

LinkedIn collects a lot. And sometimes protects it… poorly.

🧾 What you can do (as a user or dev)

If you're a LinkedIn user:

  • You can adjust your data export preferences (though that won't stop API bugs like this)
  • Be aware that even deactivated pages might have leaked data historically

If you're a developer (any API, not just LinkedIn):

  • Always validate object status β€” not just existence
  • Use indirect references if possible (don't expose raw DB IDs)
  • Test edge cases: deleted, suspended, expired, deactivated
  • Assume someone will try to request company_id=999999 just for fun

🎬 Final thoughts

This bug was fixed. LinkedIn responded responsibly through HackerOne.

But it's a great reminder that:

APIs are like unlocked doors. You can have the best lobby security in the world, but if you forget to check if the room still exists… people will walk right in.

So next time you build an endpoint that fetches data by ID, ask yourself:

"What happens if this resource is dead β€” but someone still has the key?"

πŸ”— Source & credit

Full disclosure and technical details:

πŸ‘‰ HackerOne Report #3604288 β€” Access to Deactivated LinkedIn Company Pages via Competitor Analytics API

Thanks to the anonymous security researcher who reported this. And to LinkedIn for fixing it (even if it took a nudge).

Like this write-up? Clap πŸ‘, share πŸ”, and follow for more API security stories told without the jargon.

β€” Your friendly neighborhood bug hunter 🐞