Slashdot Mirror
LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts
cold fjord writes with this Business Week report: "LinkedIn Corp. ... was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts' addresses. The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site ... 'LinkedIn's own website contains hundreds of complaints regarding this practice,' they said in the complaint filed Sept. 17. ... LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open ... 'LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn's servers,' they said. 'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'"
"This puts an interesting twist on LinkedIn's recent call for transparency," adds cold fjord. (More at Bloomberg.)
LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open, according to the complaint.
Password = 'password'?
Maybe they used a cookie for an email session that was already opened by the browser?
This does not make sense.
The e-mail address a customer gives LinkedIn contains no information about what server the account is on or what protocol it can be accessed with.
And it certainly doesn't contain the password, unless you use the same password on multiple sites.
It is possible, I guess, that a script could scan the registered addresses for domains where the server and access method is known, and try to access it with the LinkedIn password. But even then, it would be difficult, to say the least, to get an address book out of that, given that most e-mail servers don't store any address book. It would have to be web interfaces. Of which there are hundreds, all doing it differently.
Willem of Ockham tells me that the simplest explanation might be ignorant users combined with greedy lawyers.
It was embarrassing and prompted me to close the account. Clearly a violation of privacy. I think at the time I used the same password as for my email account.
This is old news. It's real simple. Don't give LinkedIn your email passwords. Problem solved.
Sounds similar to what happened with Google Buzz. What ever came of those lawsuits? Pretty much nothing, other than some lawyers walked away with a bit of money and Google had to agree to some toothless privacy audits.
I know LinkedIn offers to read your existing email accounts for contacts, so that you can connect to them, but you can just ignore that. It isn't mandatory, but if you don't read what it says on screen, you might think it is. So I'm more inclined to suspect that's what happened: the complainant entered his email address and password when prompted, and now thinks he's been hacked.
(this is not a
The included post url no longer has any details, does anything know of a copy?
If we are going to be a 'nation of laws' then we need stop being hypocritical in their application. But of course, the law is typically made to bully the small guy to the betterment of the big guy.
Silence is a state of mime.
It's a BS lawsuit on technical merits - they weren't hacking, they just have registration flow where they ask to import your addressbook and then if you just click "next" then by default they invite everyone to your circle of contacts. Yes, spammy.. but you should read what you are clicking.
And they mention an ex-employee writing "hack" on their profile/resume as proof? Seriously..
Password Reuse, September 13, 2010
Several viruses are notorious for this same practice. Address book harvesting is malicious, no matter the party doing it. Worse, LinkedIn cannot even keep your passwords safe.
http://www.wired.com/geekmom/2012/06/linkedin-data-breach/
They didn't even use a salt with their hashes.
I believe, in light of just how many corporations are actually, willfully dishonest and do the things they are accused, going forward, should corporations be found guilty, they should be legally dissolved and what's left over dumped into an escrow fund used to locate and dissolve other dishonest corporations. It's time people paid for their malfeisance. It's disgusting that corporations get away with what individuals cannot. Since corporations are now considered "people", shouldn't they be treated accordingly -- or are we too in love with capitalism to not crater the offenders...
I certainly noticed LinkedIn had access to my email sent-lists, but after logging into it a thousand times it's hard to know for sure I didn't check, or fail to check, a box that comes up asking my permission to do so. It just takes one time. Maybe this case will succeed, I'm afraid I've succumbed to thinking we have no more privacy or right to cover our tracks than we did walking past gossipy women in medieval villages. LinkedIn, Google, and Facebook have become the modern day cyber-Yentas, sometimes aggravatingly meddlesome, sometimes making a lifelong connection.
Submitted by Anonymous Coward on Saturday September 21, 2013 @09:55AM. Oh shoot...
Gently reply
This is a case of confusing UI defaults, I think, but given that *I* also got caught by it (and was mortified), even though LinkedIn isn't "hacking" anybody, I don't have a lot of sympathy for them (LinkedIn--have enormous sympathy with the users, even though I suspect their case won't stand up in court).
Here's what I think happened to me (as best I can remember...I'm not about to try to reproduce it): Yeah, sure, look for my contacts (provide Gmail username/password...all assurances are given they won't email anyone without your permission blah blah). LinkedIn shows you a list of a few dozen (IIRC) contacts in a frame (possibly those you most recently exchanged email with?); I deselected all of those and then carefully went through and selected a very small subset I actually wanted to "connect to." Once I've done that, I hit submit (or whatever) and get some confirmation, "We're going to send the invite, okay?" Yeah, sure...it's only sending to a few people, right? SOMEWHERE on that confirmation (again, IIRC) is a checkbox that alludes to the fact that, oh? All the contacts you DIDN'T unselect--IN YOUR ENTIRE CONTACTS LIST--are gonna get an email. Got to the next screen and it said something like "200 emails sent" and the expletives flew. (I can see missing that message...it was small.) Of course I was doing this process while I was watching TV or something--it didn't have my full attention--but the behavior was SO counter to my expectations of opting-in I was floored.
I can see why users would think LinkedIn "stole their contacts when their email was left open"--they're thinking that subset-selecting frame is the only time LinkedIn is (transparently) accessing their account (and therefore shouldn't do anything with contacts that don't appear in that frame, which makes sense in terms of user expectation).
When random people I know only slightly and who don't know my skill set are allowed to "endorse" me for knowledge and training they don't know that I have, it makes the whole of LinkedIn worthless to me except as a source of phone numbers. And often those are not even available. It has become Facebook with a clip-on tie.
If Slashdot were chemistry it would look like this:Cadaverine
Good riddance.
After a few months of receiving automated emals from Linked-in of behalf of people I had worked with, I finally created a filer to send them to trash. Most of the people I talked to could not remember giving consent to Linked-in to use their contact lists. Hopefully major email providers will just start sending the emails to spam by default
... I use to login to LinkedIn. That way THEIR web client code can't get into my web based email (more than one site) using holes in the browser. For each site I have configured, there is a separate virtual HOME directory the browser is using, so things like cookies and browser processes are fully separated. I can log in to LinkedIn with one process and log in to Gmail with another process and there's no information going between. I can even login to 2 or more different Gmail accounts at the same time using this kind of separation (normally one would have to use separate userids or separate machines).
now we need to go OSS in diesel cars
Yeah, something similar happened to me. Fortunately, email did not go out to my contacts, but somehow, LinkedIn got access to my contacts in my Google account. It could be that I offered them access, but that is not something I would ever knowingly do.
The sad thing is that LinkedIn still occasionally prompts me to connect with my mom's email account. Sadly, she has been dead 4 years. I miss her every day. It is like a little kick in the gut.
My 72 year old mom had almost no visibility on the net. We don't share the same last name, I have not lived with her for 30+ years. I've seen other names come up in LinkedIn that could only be via my Google contacts.
LinkedIn provides a slightly useful product, but they have gone too far.
I'm curious, would 2-factor authentication (a la Gmail) prevent them from accessing your account, or is this a XSS or browser session hijacking problem?
Stop learning! Only you can prevent esoterrorism.
I have noticed people in the "You May Know" list that I corresponded with ONCE, ONLY in email, and on another account - and, I have *never* given them any passwords, and my password for LinkedIn is unique. They are DEFINITELY reading email servers from somewhere.. it was irritating to notice that.. I dont like it..
Linkedin suggests numerous names of people I know but have never exchanged emails with. It even suggested the name of my kid's girlfriend and kid's last name doesn't match mine and we have no common links on linkedin. I've limited my links to old co-workers from AT no family, no friends. There is no possible way they could have accessed my email because it requries an ssh login to a firewall server with a different userid and password, then an ssh connection to the mail server with yet another password. Those passwords are also different than my linkedin password. I'm not on any social media sites except linkedin and slashdot. Neither my slashdot name nor password matchs linkedin name or password. There has to be some data mining going on but it's not through email and not through any other social media. I have noticed that others from the companies I've worked for shown up in the suggestions including people I've never met. I'm not sure why they keep suggesting Texas people who worked for AT&T when I've only been in Michigan. It looks like they could have gotten my email contact list but I know they couldn't have. So I'm thinking that others seeing their email contacts show up might just be mistaken on how linkedin got the names.
Dyslexics Untie!
I know they do this. I have different passwords and have never given them permission to access my email to check for contacts. I know it's gmail because I use gmail as a secondary address and lo and behold I was asked if I wanted to connect to assholes who have stiffed me for rent money and I have never worked with. Assholes who I have had no contact with in 5 years. More likely Google sells them the info or maybe google owns a piece of them.
A truly fully secure browser would prevent them from even knowing if you use email at all, and certainly not let them get to your email.
now we need to go OSS in diesel cars
I once sent an email to a Service Manager at a local repair shop. She had recently been through a traumatic experience and I wanted to send her my sympathies. We exchanged an email or two and never communicated again.
A year later I received a blatant robo mail from her account with "her" requesting me to be added to her professional network. I then began to receive spam from them which helpfully let me remove my email BY LOGGING IN AND SAYING NO.. Right. So, I'm going to sign up for their service to tell them NOT to bug me?
Took about two weeks for them to de-list me.
And you got displayed an allow application screen Stating "The site www.linkedin.com is requesting access to your Google Account for the product(s) listed below. ....
Google Contacts
And you clicked Grant Access: possibly without reading and understanding the fine print of the service agreement, or clicking the LEARN MORE link
And your I don't really care about my privacy attitude is Linkedin "hacking" your account?
How is it fair to imply Linkedin has all the due care burden regarding your privacy, and YOU HAVE NONE?
If you don't care about your privacy you are eventually going to get burned
They could have posted a privacy policy stating We can share all your details, including personal identifying information, browsing history, click history, ALL EMAIL MESSAGES IN YOUR MAILBOX, Sent Mail, Mail folders, etc, with anyone and everyone; at our sole discretion, and you would have never noticed.
This is silly. I am a LinkedIn user - I am guessing most of the folks here are not, and so don't know what they are talking about.
You have to ALLOW LinkedIn to access your email. I have told them No, I don't trust anyone with my contacts.
The lawsuit is baseless. End of story.
One thing that has disturbed me is how quickly all my efforts to control information about me are quickly undone by a friend or coworker who doesn't care in the same way. All those apps and games on people's phones and tablets with "read contacts" permissions are building a network of information out of my control because people I know also maintain my contact information. For example, the latest google maps update requests the following permission be added - read your contacts. With further description - "...read data about your contacts stored on you phone, ...frequency....called, emailed, or communicated in other ways. ...may share contact data without your knowledge." WTF! it's a map application. People blindly update these things...
I know LinkedIn isn't doing it to me, because the IMAP/SMTP server I use for e-mail doesn't have my contacts on it. IMAP and SMTP don't even have the concept of contacts or an address book. End of problem.
Likely the LinkedIn users in question use a webmail service like GMail and gave LinkedIn access to their e-mail account to import their contacts. You get asked for this when setting up your LinkedIn account, and if you're using a browser that's logged into Google the LinkedIn site may try to get access directly and it's easy to give it access by mistake unless you're a professional paranoid like me whose default answer to every unexpected prompt is to close the browser down (I don't trust Close links in an HTML page to just close the page). Or someone the person corresponds with may have given LinkedIn access to their address book and found connections that way. Or LinkedIn may have scanned the user's public profile on Google+, gotten their publicly-listed circles and used the public profiles for those people to gain contact information. There's a lot of ways to gain access to this information that don't involve hacking an e-mail account. More likely the plaintiffs here have just been faced with incontrovertible proof that it really is as easy to find out this kind of stuff about them as their paranoid friends have been telling them and are trying to find any other explanation that lets them retain their warm fuzzy false view of the world.
It doesn't really matter, on a moral level at least, if LinkedIn has some explanation. The reality is that this sort of opportunism should be announced in 2 inch high flashing text with an "are you sure?" question before execution. It is embarrassing for the LinkedIn user and it is NOT appreciated by probably a majority of the non-linkedin contactees. I, certainly, have NOT appreciated getting SECOND HAND invites to LinkedIn, FaceBook, etc. In fact, it makes me regret I gave my email to these so-called "friends" and "professionals" to begin with.
I think we are rapidly coming into a new age where privacy will be the primary marker of class. Higher class people increasingly don't WANT their personal information given to the pimps such as google, facebook, LinkedIn, etc. Soon the higher class won't be traceable to any significant degree on social networks or, indeed, on the internet at all.
I bet we can't find the google boys' personal cell phone numbers and other personal effects on-line and I bet we can't evesdrop on their houses with google earth. That should tell you something; in fact, that should tell you everything. That's why I won't accept an Android phone, why I regret I ever used gmail, why I have never opened a facebook account, why I have not responded to "LinkedIn" invitations, and why I'm even beginning to regret using a "smart" phone. It's too bad because a more efficient means for professionals to work and connect VOLUNTARILY with other professionals could have been of great net benefit to many of us and to the economy as a whole. But net is the key word. We are caught in a "net" now and we can't get out.
Welcome to Dystopia! It's almost inevitable it will eventually get really ugly - and probably really, really, REALLY bloody if history and human nature is any gauge. It always starts something like this. We've ignorantly prostituted ourselves for "free", almost like naive children taken in by a pederast offering a one-penny candy. Drop your pants and lube up? Oh...you already have?
And run droidwall, and google "android 4.3 app ops" - still not as granular as I would like, but getting there. Until then, I just don't tell my phone anything important.
This issue is a bit more complicated than you think.
By now you never will be.
I am in a similar situation where I have a couple of Google Apps accounts that I ONLY use for work-related purposes. NOTHING ELSE. Never authorise anything to use them keep it all on my personal. Sure enough LinkedIn has slurped some contacts from sent items. I use different passwords for everything. I hardly have even used LinkedIn, much less with a work related email account open (I hardly open them). The ONLY way they could have stole it (That is the only thing running at the same time) would be a mobile app either from my Android or iOS device. I have these work accounts set up permanently on these devices and foolishly it seems loaded the LinkedIn app.
Funny enough ALL these email accounts have been getting spam lately from "Dr OZ" to their actual address, which is strange when I use disposable email addresses for EVERYTHING, including client contact. The only thing I use the actual address for is to log in and set up the mail client. These email addresses must have been slurped from a mobile app, not sure if it was LinkedIn or another app.
Quit spamming the topic with this shit. You clearly have no idea what the fuck you are talking about. You are just regurgitating words you kind of know about.
This is true. That is exactly what they do. They even check CC: headers to see what sort of link you have and weed out the mailing list sender addresses and stuff. Since the amount of people allowing LinkedIn access to their account is so big, even if you don't give them access to yours, they will still be able to figure out about 80% of your contact list. This company is extremely good at "Big Data" and correlating it. It's why their platform is the most popular and by far the biggest "business contact" social media network.
I've had it explained by them a while ago when I asked them to remove everything they pulled from my e-mail account. They had stuff that they couldn't have pulled from there and I never gave them permission to get. They then explained that they most likely got it from the other party involved and that they do a lot of correlation on the stuff they harvest to come up with possible matches.
Even though I don't approve of what Linkedin is doing, it's not illegal (in the USA) and I really doubt that these people Sueing them will get anything out of this case. I think it may be illegal in some countries in Europe because gathering personal information on people if they are not a user or customer of your services is illegal there. They are one of the companies that are known to keep "ghost profiles" (Google and FaceBook do too) of you. I have yet to see any of them brought to court in those European countries, but I doubt they'd win a properly prepared case there.
I was promised a flying car. Where is my flying car?
...even though it continually nags me for it. I know several people who linkedin has connected to me online only because they let the system into their email.
http://michaelsmith.id.au
Linked in claims that it won't send e-mail to your contacts on your behalf without your permission. What they don't say is that they won't send e-mail to their existing members that happen to be in your contact list. They also don't claim that they won't exploit the knowledge that I am both in your contact list and an existing member. So, I have had a number of e-mails and web pages that list a particular individual as "somebody you may know" because she once answered a classified ad from her yahoo address and linked in has access to her yahoo e-mail account. I am nearly certain that she never asked linked in to connect us; if she had the message from linked in would say "Person X has requested a connection." Instead, for three years they have kept suggesting that I may know person X, and given that I have no other connection than a couple of e-mails in response to an advertisement, they are exploiting her e-mail contacts in a way that they don't make clear to their users when they are granted access to e-mail accounts.
After this happened with my yahoo contact list, I changed my linkedin e-mail to a non-yahoo email. I received a message from linkedin that they could not access my contact list and they told me to change my e-mail service provider.
Why is there no lawsuits for what is basically hacking(break and enter) and utilization of stolen property(information)?
Are people really this spineless these days?
I purchased my domain name 10 years ago the same day .jp became available. (mylastname.jp) At that time, I hosted it on a florida based ISP then moved to GoDaddy and finally last year to GoogleApps.
I created email addresses for my immediate family from day 1. Myself, my wife and my two boys aged 1 and 0 at the time. The boy's accounts where never logged into although there was a secure password set. When I move the domain to GoDaddy, the email accounts did not come over and all data on the old ISP was deleted. Again when moving to GoogleApps the addresses of the boys did not get created.
The addresses are, however, in my address book. Which is hosted to my mylastname.jp account on GoogleApps.
So you'll understand my surprise when my son's name and email address turns up as a 'Person you may know' on Linkedin. How did they get the address? It hasn't existing in a system for over 7 years, and as far as I know, only resides in my address book.
Sure his last name is the same as mine and the email address is mylastname.jp, so there might be a connection there. But the point is, where did they get the address from in the first place? There has never once been an email send from that address.
The other concern is that his name and the full email address was clearly shown on screen. What's with that?
I created a custom email alias for Linked In and use a really nasty randomly-generated password which I store in a password manager, so they'll never get anything else out of me. I also never put my work Outlook email address and password in. I'm not THAT stupid :-) Some people obviously are, but I'd hardly call that Linked In's fault.
The reason I'm not on Linkedin is that they're a sleazy business. I keep getting "invitations", many from people I don't know and who quite certainly don't know me. I keep getting them despite telling them several times that I don't want ANY mail from them EVER again.
They are, frankly, spammers.
And we all know that spammers are criminals and don't hesitate engaging in other criminal activities.
Assorted stuff I do sometimes: Lemuria.org
I've been saying for several years that LinkedIn's suggestions creep me out. I've got a personal email address linked to it, but it's suggested that I might know people I've only contacted through employer emails (completely unrelated to my contacts and industry), or even only contacted by phone! I feel it's gotten worse since they went public. I hope they get their ass kicked in court, I'll be following this case closely.
I've had the same question asked by Google+, Facebook, Pinterest and Twitter.
All social networks ask if you would allow them to access your email contacts so they can find (or invite)
those friends to the same network.
I always said no. Those users gave up their privacy as soon as they signed up.