LinkedIn Customers Allege Company Hacked E-Mail Addresses
bloomberg.comHere's how they do it. Various times Linkedin provides me with a form to "import" my contacts from my gmail account.
This dialog looks very similar to the login form to the site. If you use the same password for both sites (I don't), you might be thinking that you're logging in, when in fact you're bringing in everyone in your address book. Not sure, if they then automatically spam everyone on your list or not.
Linkedin clearly has crossed over to the dark side since they went public. They keep reducing their free services and pushing harder and harder to try to get you to sign up for "premium" accounts. It's time for an alternative.
Alternative because the company is trying to make money? Sounds good until the (so-called) other company does the same exact thing.
Also, I recently found out that Android app from Linkedin extracts your gmail contacts. From what I could gather, you cannot opt-out. I was quite annoyed by this. I also see this a more probable explanation to contact harvesting than hacking to email accounts.
Do you know this because installing the app requested permission? The android security model is all or nothing, up front. If anyone ever would want the app to access their contacts, the app is required to demand that permission from every user at installation.
“LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn’s servers,” they said. “LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users’ consent.”
I am so hoping the case goes to trial so we can see the evidence of this presented.
This sounds like an outright BS claim. There are two or more scenarios that may be presented as evidence.
i. LinkedIn used the users current passwords with their external addresses to access the external emails. ( impossible) ii. Linked in use some sort of Oauth/google authentication access to information permission thing(can't remember the name). (highly unlikely)
In any case I think we can only be certain with the actual evidence.
The Customers filing suit should know that LinkedIn is a publicly traded company and not a scam site.
Because even these claims are outrages if not utter BS.
The Customers filing suit should know that LinkedIn is a publicly traded company and not a scam site.
Did you mean to say that? I know nothing about the details of this lawsuit, but I hope you realize that being a publicly traded company is no proof of being virtuous in all one's business operations!
Why is the first scenario impossible? People re-use passwords all the time.
Yeah, don't they just straight up ask for your passwords? http://i.imgur.com/ucFx7Kw.png
There's that, but what I meant was they could combine the user's LinkedIn password with their email address and most of the time that would be a valid user/pass combination due to the frequency of password reuse. It's not like LinkedIn don't have access to the plaintext version of the user's password. After all, the hashing isn't done on the client but on the server.
That's brazen, but if the plaintiffs complied with that prompt then they're basically telling the World that they not only violated the TOS of their e-mail provider but also their terms of employment and common sense.
Looks like implementing two-factor authentication might not only protect companies against malicious intruders but also from their own employees spilling the beans.
My guess is they used the same password for their email and LinkedIn account, so LinkedIn had the credentials for both and was able to harvest contacts. That, or during the sign up process they plugged in their email credentials without realizing LinkedIn would abuse them in this way.
Scummy in either case, even if it's technically legal.
I had the latter happen to me and so have several other people here on HN. LinkedIn ended up sending an invite to everyone I had ever emailed. It was catastrophically embarrassing and caused a lot of grief.
Not to detract from the main point of this thread (which I agree with) but do you mind sharing why you write "catastrophically" embarrassing? And caused 'a lot of grief'?
I'd never think twice about getting a linkedin invite email from anyone who for any reason has ever emailed me (ever). It's obviously automatic... I really can't think of an exception...
There are more email addresses lingering inside your email account than you probably realize. I just did a search for "LinkedIn sorry" to find all the apologies I sent out. 38 of them. All to complete and total strangers. When it first started happening I did some digging and found the connection for a lot of these people is we were on a common mailing list.
Not to mention the more obvious ones like ex-girlfriends, ex-bosses (including one I am not on good terms with), companies that I applied to and did not end up working for, etc. This is my gmail account, it has every email I've ever sent in the past 9 years. There's a lot of stuff in there.
EDIT: I don't know if LinkedIn still does this, but at the time LinkedIn would send reminder emails for any ignored invites. Which just compounded the problem.
> Your Ex has sent you an invitation to LinkedIn. Would you like to endorse their skills?
If that is the worst thing that happens to you, you should be thanking LinkedIn for teaching you a valuable lesson about typing your email password into random forms on the Internet (or sharing passwords).
Your Ex has endorsed you for "Family Planning".
Somehow I'm thinking the latter.
I'm not sure how LinkedIn does it but their "recommendations" are very spooky.
I get some really odd ones like the property manager we pay rent to. I've only ever emailed or called him.
I presume he gave LinkedIn access to his email contact list but based on the number of these creepy recommendations a lot of people I email with must do it.
Even more spooky are the recommendations to connect with people I don't know but have names that match people I do. Anyone know how they do this?
LinkedIn does that by cross referencing cookies, contact lists, email addresses. The same way Facebook does. People just used to expect more integrity from LinkedIn.
They've been doing this for a while....
Surprisingly simple math (like https://news.ycombinator.com/item?id=5854593), the data you just described, and also IP addresses. I wouldn't be surprised if they also use browsing habits (search history on LinkedIn, profiles visited on LinkedIn). So they might guess the friend's name from the data, but not know which exact profile out of several identically-named profiles represents the person you know.
Here's my 2 cents... maybe they'll settle and walk away with some cash. I too would love to see the evidence of this presented.
In today's world - individuals' data is the digital goldmine for any company.
LinkedIn is a publicly traded company (LNKD), like any publicly traded company their main goal would be profits, plus assets like customer data, etc.
This info can be seen in their financial statements: http://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CI...
Nowadays it's common practice for our digital footprints and identities to be designed/built/directed so that before we can gain access to a company's services, data or content that we would need to read and agree to the terms & conditions and the privacy policies, etc.
This info can be seen in LinkedIn's:
Terms and Conditions http://www.linkedin.com/legal/user-agreement?trk=hb_ft_usera...
Privacy Policy http://www.linkedin.com/legal/user-agreement?trk=hb_ft_usera...
Cookie Policy http://www.linkedin.com/legal/cookie-policy?trk=hb_ft_cookie
What, you mean I'm supposed to read those things? Yes.
Where is the phrase "identity fraud" agreed to? That is more the line that seems up for debate. Also, LinkedIn forces changes onto otherwise grandfathered accounts (LFN). If you don't actively delete your page, you agree to whatever the worst case is under new terms.
Here's what may have happened: when you go to LinkedIn, you regularly get shown a box (inline) inviting you to do something, like endorse people's skills.
One of those boxes invites you to "grow your network". It's not all that explicit as a call-to-action, as in the text may just be a slogan. The main focal point of that box is a login & password form, which looks exactly like the regular login form that users get when they want to do something that requires explicit re-authentication.
In other words: it's common to have to enter your login/password on LinkedIn, this looks a bit like one of those cases, so users will blindly start typing. If they use the same email/password combo for their email account as for their LinkedIn account, then they've just given LinkedIn access to that email-account.
The box itself is quite deliberately misleading. Unlike the regular invitations to load your addressbook, there are no Google or Yahoo logo's, and no explicit descriptions.
I don't know whether there is a more explicit request for permission at the next step before it starts sucking in conctacts, I don't dare entering a valid password.
If there is a next step that requires explicit confirmation, than this "trap" (which it quite obviously is) is merely annoying and a bit scummy.
If there isn't, I think they have a good case, because this is would basically be phishing in reverse.
I think it's more likely that LinkedIn mobile app grabs your phone contacts, if you happen to give it permissions to do so.
I've noticed that the "People you may know" section started to contain faceless placeholder entries with emails from my address book (though, I'm not sure if/when I've given the iOS app the address book access).
I noticed that recently as well. Some of them actually say "X shared contacts" below them as well. I know for a fact some of these people are not on LinkedIn, so it's essentially building up shadow profiles and trying to get users to "invite" them to the website for them.
This is exactly what happened to me.
I thought it more of bad UI and lack of attention on my part. Everyone in my address book got an Invite.
LinkedIn need to address this but I think this lawsuit over-states the issue (still need to examine it in full but first impression)
I fell into this trap. Once, when accessing my account, I thought I had forgotten the password, but in truth they were asking for the password to my email and I inadvertently put. It is very common to reuse passwords, I bet they test for reuse and "invade" the e-mail account without permission.
Some LinkedIn apps ask for pretty extensive permissions: https://news.ycombinator.com/item?id=6014842
LinkedIn provided a pop-up window which, in small print, if you had logged in via Google or Facebook, notified users in legal terms that their e-mail contacts could (potentially, under some circumstances) be accessed.
Thus, in legal proceedings, the user was entirely informed of the possibility of this situation arising.
For future users, this sets a precedent that users are aware of the terms and conditions (as they have always been), and no further accidental leaks of personal information will occur.
Yet another scummy social media spying site I'm happy to have never signed up/used for anything. The vast majority of jobs I've found were idling in the local hack space IRC room with ~300 developers and engineers who dump openings, joint ventures and paid projects there first before the usual channels.
Would be pretty easy to test. Make an account with an email address pointed at a server you own, tail the logs and wait for the inevitable HELO from LinkedIn with the same credentials. Busted.