Slashdot Mirror
LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts
cold fjord writes with this Business Week report: "LinkedIn Corp. ... was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts' addresses. The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site ... 'LinkedIn's own website contains hundreds of complaints regarding this practice,' they said in the complaint filed Sept. 17. ... LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open ... 'LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn's servers,' they said. 'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'"
"This puts an interesting twist on LinkedIn's recent call for transparency," adds cold fjord. (More at Bloomberg.)
Maybe they used a cookie for an email session that was already opened by the browser?
They probably exploited that many of their customers used the same password for their site and the email account. After that it's just a matter of scraping web interfaces (Google, Yahoo, Exchange, ...) for the contact data.
They tried using people's linkedin passwords for their email accounts, and since many people reuse passwords they got in.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
It was embarrassing and prompted me to close the account. Clearly a violation of privacy. I think at the time I used the same password as for my email account.
If this can be proved, it's a violation of CFAA -- unless you gave them permission to get contacts from your accounts. Does anybody read that mess of legalese in the terms of service you agree to when you join/connect to LinkedIn?
They probably exploited that many of their customers used the same password for their site and the email account.
Which makes the linked-in customers idiots. However: if this is what linked-in have done then they should be prosecuted to the fullest extent of the law, in the UK that would be under the computer misuse act, those responsible should be extradited from the USA if necessary. I am not talking about some minion in a technical department but the director who was responsible.
I know LinkedIn offers to read your existing email accounts for contacts, so that you can connect to them, but you can just ignore that. It isn't mandatory, but if you don't read what it says on screen, you might think it is. So I'm more inclined to suspect that's what happened: the complainant entered his email address and password when prompted, and now thinks he's been hacked.
(this is not a
The included post url no longer has any details, does anything know of a copy?
If we are going to be a 'nation of laws' then we need stop being hypocritical in their application. But of course, the law is typically made to bully the small guy to the betterment of the big guy.
Silence is a state of mime.
Several viruses are notorious for this same practice. Address book harvesting is malicious, no matter the party doing it. Worse, LinkedIn cannot even keep your passwords safe.
http://www.wired.com/geekmom/2012/06/linkedin-data-breach/
They didn't even use a salt with their hashes.
'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'
I certainly noticed LinkedIn had access to my email sent-lists, but after logging into it a thousand times it's hard to know for sure I didn't check, or fail to check, a box that comes up asking my permission to do so. It just takes one time. Maybe this case will succeed, I'm afraid I've succumbed to thinking we have no more privacy or right to cover our tracks than we did walking past gossipy women in medieval villages. LinkedIn, Google, and Facebook have become the modern day cyber-Yentas, sometimes aggravatingly meddlesome, sometimes making a lifelong connection.
Submitted by Anonymous Coward on Saturday September 21, 2013 @09:55AM. Oh shoot...
Gently reply
This is a case of confusing UI defaults, I think, but given that *I* also got caught by it (and was mortified), even though LinkedIn isn't "hacking" anybody, I don't have a lot of sympathy for them (LinkedIn--have enormous sympathy with the users, even though I suspect their case won't stand up in court).
Here's what I think happened to me (as best I can remember...I'm not about to try to reproduce it): Yeah, sure, look for my contacts (provide Gmail username/password...all assurances are given they won't email anyone without your permission blah blah). LinkedIn shows you a list of a few dozen (IIRC) contacts in a frame (possibly those you most recently exchanged email with?); I deselected all of those and then carefully went through and selected a very small subset I actually wanted to "connect to." Once I've done that, I hit submit (or whatever) and get some confirmation, "We're going to send the invite, okay?" Yeah, sure...it's only sending to a few people, right? SOMEWHERE on that confirmation (again, IIRC) is a checkbox that alludes to the fact that, oh? All the contacts you DIDN'T unselect--IN YOUR ENTIRE CONTACTS LIST--are gonna get an email. Got to the next screen and it said something like "200 emails sent" and the expletives flew. (I can see missing that message...it was small.) Of course I was doing this process while I was watching TV or something--it didn't have my full attention--but the behavior was SO counter to my expectations of opting-in I was floored.
I can see why users would think LinkedIn "stole their contacts when their email was left open"--they're thinking that subset-selecting frame is the only time LinkedIn is (transparently) accessing their account (and therefore shouldn't do anything with contacts that don't appear in that frame, which makes sense in terms of user expectation).
Wouldn't that also imply clear-text password storage at the LinkedIn end? In itself quite a bad revelation if that is the case.
The part after "@" gives them all the info they need (e.g. @gmail.com @yahoo.com).
Which makes the linked-in customers idiots
That goes without saying. Never seen a "community" of more self-congratulatory blowhards.
I guess if you can't get a job on merit, you drink with people who can get one for you - and this is the online equivalent for the even lazier.
When random people I know only slightly and who don't know my skill set are allowed to "endorse" me for knowledge and training they don't know that I have, it makes the whole of LinkedIn worthless to me except as a source of phone numbers. And often those are not even available. It has become Facebook with a clip-on tie.
If Slashdot were chemistry it would look like this:Cadaverine
Click-through contracts are bullshit, just like read-through contracts where by reading to the end of this sentence you agree to give me $10,000.
Password = 'password'?
Hey! That's the same password I use for my gmail account!
This gives them enough to access the email where the browser itself is logged in to.
now we need to go OSS in diesel cars
Uh, better yet, Don't use LinkedIn it's a dumping ground for people who pad their Resumes (CVs).
Harrison's Postulate - "For every action there is an equal and opposite criticism"
How do you figure that?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
After a few months of receiving automated emals from Linked-in of behalf of people I had worked with, I finally created a filer to send them to trash. Most of the people I talked to could not remember giving consent to Linked-in to use their contact lists. Hopefully major email providers will just start sending the emails to spam by default
... AND do not login to your email using the same browser you login to LinkedIn with. Unfortunately, most people use the same browser. Sue the browser maker and get the money back that you paid for the insecure browser.
now we need to go OSS in diesel cars
... I use to login to LinkedIn. That way THEIR web client code can't get into my web based email (more than one site) using holes in the browser. For each site I have configured, there is a separate virtual HOME directory the browser is using, so things like cookies and browser processes are fully separated. I can log in to LinkedIn with one process and log in to Gmail with another process and there's no information going between. I can even login to 2 or more different Gmail accounts at the same time using this kind of separation (normally one would have to use separate userids or separate machines).
now we need to go OSS in diesel cars
I already forgot what I did on Linkedin when I joined it several years ago, but didn't we all gave them our contact lists voluntarily so they will check if our acquaintances have it? May be I am confusing this with Google+
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
I'm curious, would 2-factor authentication (a la Gmail) prevent them from accessing your account, or is this a XSS or browser session hijacking problem?
Stop learning! Only you can prevent esoterrorism.
Working in the Corporate world, I've seen this happen to people before. They sign up on LinkedIn, suddenly everyone on their contacts list starts getting "invites".
All the examples I've personally seen were people who accessed LinkedIn on a smartphone. One co-worker suddenly started spamming invites to a couple distribution lists at the company.... he had just logged in using his work-supplied phone and it scraped his contact list. And since he's always 'logged in' with the work email, it started scraping the entire company directory.
We awarded them with a permanent spot on our spam Blacklist, and blackholed their IP space.
Their client side code is running in the same web browser than the user logged in to that user's web based email with. It's a browser security issue. Once they know the domain in your email address, they know how to watch you for when you login to your email web site. They don't need the password since it is already logged in. They can't get the password used, but they can get the email contact list, and the contents of the email you are currently reading.
now we need to go OSS in diesel cars
Linkedin suggests numerous names of people I know but have never exchanged emails with. It even suggested the name of my kid's girlfriend and kid's last name doesn't match mine and we have no common links on linkedin. I've limited my links to old co-workers from AT no family, no friends. There is no possible way they could have accessed my email because it requries an ssh login to a firewall server with a different userid and password, then an ssh connection to the mail server with yet another password. Those passwords are also different than my linkedin password. I'm not on any social media sites except linkedin and slashdot. Neither my slashdot name nor password matchs linkedin name or password. There has to be some data mining going on but it's not through email and not through any other social media. I have noticed that others from the companies I've worked for shown up in the suggestions including people I've never met. I'm not sure why they keep suggesting Texas people who worked for AT&T when I've only been in Michigan. It looks like they could have gotten my email contact list but I know they couldn't have. So I'm thinking that others seeing their email contacts show up might just be mistaken on how linkedin got the names.
Dyslexics Untie!
Password = 'password'?
"then used the information to access their external e-mail accounts when they were left open ... "
TFA:
‘Your Permission’
The actions were taken even though LinkedIn assures its users when they log in, “We will not e-mail anyone without your permission,” the plaintiffs said.
i always had the impression that those profiles i randomly go to see on linkedin had to correspond to braindead suckers. linkedin just gave confirmation.
--
brave weird world, today
I know they do this. I have different passwords and have never given them permission to access my email to check for contacts. I know it's gmail because I use gmail as a secondary address and lo and behold I was asked if I wanted to connect to assholes who have stiffed me for rent money and I have never worked with. Assholes who I have had no contact with in 5 years. More likely Google sells them the info or maybe google owns a piece of them.
I don't use web based email. That being said they can;t do what you are claiming they can on any modern browser as far as I know. Do you know of a modern browser that doesn't enforce a same-origin policy?.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I've seen other names come up in LinkedIn that could only be via my Google contacts.
Or, LinkedIn could just have an insanely good algorithm. I was recently presented with a "someone you might know" when I logged in to LinkedIn, and I did know them, but I have no clue how LinkedIn figured it out.
They had just joined LinkedIn in the past week. They used a different e-mail address (different provider/domain) from the one I contact them with and the e-mail address they contact me with isn't the one that LinkedIn has for me. I don't use any webmail (host my own e-mail and access via imap) and so LinkedIn can't get any contacts from me, even if they did "hack my e-mail" (which is unlikely as my e-mail username isn't the e-mail address they have for me and the password for my actual account isn't the same as my LinkedIn login). All of their links at the time were people from their new work (I don't work with them...they are just a friend).
So, basically, LinkedIn had no direct way to connect us, yet it did.
A truly fully secure browser would prevent them from even knowing if you use email at all, and certainly not let them get to your email.
now we need to go OSS in diesel cars
They asked, they didn't get it. Nor a real email either. So no contact list to get, and since it's my spam account.... well, knock yourself out emailing all those spammers. :)
The cesspool just got a check and balance.
Bah! Rushing through things. My AC post was the one where I declined to give them access to my contacts list and they disregarded my selection and spammed everyone whom I ever corresponded with.
Not quite true. When I opened a Facebook account several years ago, I registered using my Yahoo account. I know how often I have changed my password and there are some specific times when I have changed all my passwords when I have had a virus or a rabid g/f using my computer. Facebook manages to recommend people that have been added to my Yahoo contacts since the password has been changed and they have no legitimate way of knowing who I add. I only use Yahoo for work contacts and use Gmail for my friends but none of my new Gmail contacts get recommended to me. The contacts on Yahoo are not contacts of my friends who are contacts on Gmail. I am absolutely certain that Facebook has access to my Yahoo contacts in the way that these guys are certain that LinkdIn is doing to them. I assume that Yahoo etc. allow this to happen and now I always use throw away address.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
I do use the same browser to log into gmail as I use for LinkedIn, yet, LinkedIn has never mined my gmail contacts. LinkedIn keeps nagging me to give it my gmail password so that it can mine my gmail contacts and I nearly did this once because of the less than clear information on the page. So, for the people who are complaining, either:
1. LinkedIn tried using their LinkedIn password against theim email login, or:
2. they misread the LinkedIn page and explicitly gave LinkedIn permission to mine their contacts.
note that option 1 implies that LinkedIn stores clear text passwords, contrary to claims made by LinkedIn in 2012 when some users' passwords were stolen.
The real "Libtards" are the Libertarians!
> Which makes the linked-in customers idiots.
They're not customers anymore than cattle are customers for the slaughterhouse. Their main customers are recruiters.
Help help, I am the real Astronomerguy. The person above hacked my LinkedIn account. Please contact Cyberpolice.
I think that the various companies collude.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
Which would require clear text storage of LinkedIn passwords. In 2012 when there was a compromise, LinkedIn claimed that they stored an unsalted hash.
The real "Libtards" are the Libertarians!
And you got displayed an allow application screen Stating "The site www.linkedin.com is requesting access to your Google Account for the product(s) listed below. ....
Google Contacts
And you clicked Grant Access: possibly without reading and understanding the fine print of the service agreement, or clicking the LEARN MORE link
And your I don't really care about my privacy attitude is Linkedin "hacking" your account?
How is it fair to imply Linkedin has all the due care burden regarding your privacy, and YOU HAVE NONE?
If you don't care about your privacy you are eventually going to get burned
They could have posted a privacy policy stating We can share all your details, including personal identifying information, browsing history, click history, ALL EMAIL MESSAGES IN YOUR MAILBOX, Sent Mail, Mail folders, etc, with anyone and everyone; at our sole discretion, and you would have never noticed.
I know that it is not done on /. to RTFA but follow the flow of the discussion at least. You can 'READ' what it says, and they say they will not contact anyone without your permission. That is the contract. You can decline the option of letting them access your contacts, they still will. Then you can change your password to stop them, they still will. Without you permission or your password, that is hacking. I think that collusion is actually more likely as all these companies are address farms and they would all benefit from a sharing scheme.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
One thing that has disturbed me is how quickly all my efforts to control information about me are quickly undone by a friend or coworker who doesn't care in the same way. All those apps and games on people's phones and tablets with "read contacts" permissions are building a network of information out of my control because people I know also maintain my contact information. For example, the latest google maps update requests the following permission be added - read your contacts. With further description - "...read data about your contacts stored on you phone, ...frequency....called, emailed, or communicated in other ways. ...may share contact data without your knowledge." WTF! it's a map application. People blindly update these things...
The part after "@" gives them all the info they need (e.g. @gmail.com @yahoo.com).
No, it doesn't. That gives you enough info to look up the MX (or if lacking that, A) records in DNS to find out where to send mail to. It doesn't tell the address of the server where the user accesses the delivered mail.
I'm myname@somecompany.com, but to fetch mail, I have to go to na-pop3.othercompany.com
And even then, there's no address book available over the pop3 protocol. Just my mail.
my money would be on the mobile app
I looked at it and the permissions and refuse to bo near it again.
wants to k iw and access everything
Now this makes a lot more sense than having a bot impersonate people on dozens of different webmail accounts with different authentication schemes, different methods of accessing the address book (if it exists). The latter would not only be considered a felony most places, but it also would be really hard to program so it would give a decent yield or not be detected.
A mobile app, on the other hand, which the user stupidly gives explicit access to read your address book, now that's giving it away. Immoral, perhaps, but the user provides it all, and has accepted that the app can access it.
Apropos: I just uninstalled Firefox for Android, because I see no reason to give it unlimited access to my microphone and camera, which the new version requires. Yet I bet most people blindly hit "Accept".
gmail and yahoo are well known.
I think that the various companies collude.
If so, wouldn't it be a lot simpler for them to just send each other the address lists, instead of enabling a company to take advantage of browser insecurities to perhaps glean that information?
I know LinkedIn isn't doing it to me, because the IMAP/SMTP server I use for e-mail doesn't have my contacts on it. IMAP and SMTP don't even have the concept of contacts or an address book. End of problem.
Likely the LinkedIn users in question use a webmail service like GMail and gave LinkedIn access to their e-mail account to import their contacts. You get asked for this when setting up your LinkedIn account, and if you're using a browser that's logged into Google the LinkedIn site may try to get access directly and it's easy to give it access by mistake unless you're a professional paranoid like me whose default answer to every unexpected prompt is to close the browser down (I don't trust Close links in an HTML page to just close the page). Or someone the person corresponds with may have given LinkedIn access to their address book and found connections that way. Or LinkedIn may have scanned the user's public profile on Google+, gotten their publicly-listed circles and used the public profiles for those people to gain contact information. There's a lot of ways to gain access to this information that don't involve hacking an e-mail account. More likely the plaintiffs here have just been faced with incontrovertible proof that it really is as easy to find out this kind of stuff about them as their paranoid friends have been telling them and are trying to find any other explanation that lets them retain their warm fuzzy false view of the world.
Which would require clear text storage of LinkedIn passwords. In 2012 when there was a compromise, LinkedIn claimed that they stored an unsalted hash.
Not necessarily. When the user creates an account or anytime the user logged in LinkedIn could use the password they received to do the email login. It doesn't matter that the password is stored as a hash.
Funny. I hadn't read these comments but I came to the same conclusion. I think that's likely what they did, and yes that implies that they have users' passwords in plaintext.
I'd say it's more likely that one of your friends is allowing Facebook to scrape their email account and you are getting associated in that way. There's no need for them to hack your account when they can get all that data from someone else. No matter how much we try to keep our privacy, it's easily destroyed when one of our connections gives up all their data.
And run droidwall, and google "android 4.3 app ops" - still not as granular as I would like, but getting there. Until then, I just don't tell my phone anything important.
This issue is a bit more complicated than you think.
The problem is that mostly this stuff is given voluntarily. It's just not given by you. You voluntarily connect with person A, for good reasons. And then person A for reasons that seem good to them (maybe because in their work the connections they have has an impact on their income) makes it public that they're connected to you. Then for good reasons they connect to person B. And person B is careless, or doesn't think, and they let a site siphon up their connections. Presto, that site now knows about your connection to person A.
The basic problem is that "voluntary" is transitive and "private" is not, but we treat it as if it's the other way around.
"an unsalted hash", not "only an unsalted hash". Seems like they used the plaintext password to access people's email accounts and then discarded them, keeping only the hashes.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
By now you never will be.
Except those same permissions are in chrome, opera, dolphin, Firefox... So you just don't use a web browser then?
No, they're not. Opera doesn't require access to your accounts, for example. And the Android Browser doesn't require access to your hardware.
Someone should set up a grid where you can compare the permissions you have to give each app, because they're definitely not the same.
I am in a similar situation where I have a couple of Google Apps accounts that I ONLY use for work-related purposes. NOTHING ELSE. Never authorise anything to use them keep it all on my personal. Sure enough LinkedIn has slurped some contacts from sent items. I use different passwords for everything. I hardly have even used LinkedIn, much less with a work related email account open (I hardly open them). The ONLY way they could have stole it (That is the only thing running at the same time) would be a mobile app either from my Android or iOS device. I have these work accounts set up permanently on these devices and foolishly it seems loaded the LinkedIn app.
Funny enough ALL these email accounts have been getting spam lately from "Dr OZ" to their actual address, which is strange when I use disposable email addresses for EVERYTHING, including client contact. The only thing I use the actual address for is to log in and set up the mail client. These email addresses must have been slurped from a mobile app, not sure if it was LinkedIn or another app.
This is true. That is exactly what they do. They even check CC: headers to see what sort of link you have and weed out the mailing list sender addresses and stuff. Since the amount of people allowing LinkedIn access to their account is so big, even if you don't give them access to yours, they will still be able to figure out about 80% of your contact list. This company is extremely good at "Big Data" and correlating it. It's why their platform is the most popular and by far the biggest "business contact" social media network.
I've had it explained by them a while ago when I asked them to remove everything they pulled from my e-mail account. They had stuff that they couldn't have pulled from there and I never gave them permission to get. They then explained that they most likely got it from the other party involved and that they do a lot of correlation on the stuff they harvest to come up with possible matches.
Even though I don't approve of what Linkedin is doing, it's not illegal (in the USA) and I really doubt that these people Sueing them will get anything out of this case. I think it may be illegal in some countries in Europe because gathering personal information on people if they are not a user or customer of your services is illegal there. They are one of the companies that are known to keep "ghost profiles" (Google and FaceBook do too) of you. I have yet to see any of them brought to court in those European countries, but I doubt they'd win a properly prepared case there.
I was promised a flying car. Where is my flying car?
See Cross-Site Request Forgery: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
...even though it continually nags me for it. I know several people who linkedin has connected to me online only because they let the system into their email.
http://michaelsmith.id.au
Why? From the wikipedia artice on CSRF:"Note that the attack is blind; i.e., the attacker can't see what the target website sends back to the victim in response to the forged requests, unless they exploit a cross-site scripting or other bug at the target website."
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
unless you gave them permission to get contacts from your accounts.
The users probably did by not unchecking a checkbox somewhere.
http://michaelsmith.id.au
Linked in claims that it won't send e-mail to your contacts on your behalf without your permission. What they don't say is that they won't send e-mail to their existing members that happen to be in your contact list. They also don't claim that they won't exploit the knowledge that I am both in your contact list and an existing member. So, I have had a number of e-mails and web pages that list a particular individual as "somebody you may know" because she once answered a classified ad from her yahoo address and linked in has access to her yahoo e-mail account. I am nearly certain that she never asked linked in to connect us; if she had the message from linked in would say "Person X has requested a connection." Instead, for three years they have kept suggesting that I may know person X, and given that I have no other connection than a couple of e-mails in response to an advertisement, they are exploiting her e-mail contacts in a way that they don't make clear to their users when they are granted access to e-mail accounts.
After this happened with my yahoo contact list, I changed my linkedin e-mail to a non-yahoo email. I received a message from linkedin that they could not access my contact list and they told me to change my e-mail service provider.
When I login to my Linked-in account I'm given the option to supply them with my email credentials.
http://s3.danscomp.net/linked-in_email_login.jpg
Pretty obvious that you're handing them access to your email account. The plaintiffs are idiots.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
I purchased my domain name 10 years ago the same day .jp became available. (mylastname.jp) At that time, I hosted it on a florida based ISP then moved to GoDaddy and finally last year to GoogleApps.
I created email addresses for my immediate family from day 1. Myself, my wife and my two boys aged 1 and 0 at the time. The boy's accounts where never logged into although there was a secure password set. When I move the domain to GoDaddy, the email accounts did not come over and all data on the old ISP was deleted. Again when moving to GoogleApps the addresses of the boys did not get created.
The addresses are, however, in my address book. Which is hosted to my mylastname.jp account on GoogleApps.
So you'll understand my surprise when my son's name and email address turns up as a 'Person you may know' on Linkedin. How did they get the address? It hasn't existing in a system for over 7 years, and as far as I know, only resides in my address book.
Sure his last name is the same as mine and the email address is mylastname.jp, so there might be a connection there. But the point is, where did they get the address from in the first place? There has never once been an email send from that address.
The other concern is that his name and the full email address was clearly shown on screen. What's with that?
This does not make sense.
The e-mail address a customer gives LinkedIn contains no information about what server the account is on or what protocol it can be accessed with.
And it certainly doesn't contain the password, unless you use the same password on multiple sites.
Yes, it does. If you user fills out the form as SomeDouche@gmail.com then linkedin goes to gmail.com and logs in with the credentials supplied by the user. It's not rocket science.
http://s3.danscomp.net/linked-in_email_login.jpg
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
That is basically what I am saying. I do not believe that they are using some insecurity, I think they are just asking another company for your contacts with them in return for the contact list they have.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
I accept that you did not read all my post, but no, that would not explain it.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
I created a custom email alias for Linked In and use a really nasty randomly-generated password which I store in a password manager, so they'll never get anything else out of me. I also never put my work Outlook email address and password in. I'm not THAT stupid :-) Some people obviously are, but I'd hardly call that Linked In's fault.
Or they only temporary use the clear text password while you create an account/change password.
New things are always on the horizon
The reason I'm not on Linkedin is that they're a sleazy business. I keep getting "invitations", many from people I don't know and who quite certainly don't know me. I keep getting them despite telling them several times that I don't want ANY mail from them EVER again.
They are, frankly, spammers.
And we all know that spammers are criminals and don't hesitate engaging in other criminal activities.
Assorted stuff I do sometimes: Lemuria.org
Note the 2nd part: "unless they exploit a cross-site scripting or other bug at the target website"
Also, even if the attacker can't see what the target website sends back, that doesn't mean they can't get the information. Given that these are web email apps we are talking about, perhaps the hacker sent an email to himself containing all the contact info and then sent another instruction to delete that email in order to cover his tracks.
I've been saying for several years that LinkedIn's suggestions creep me out. I've got a personal email address linked to it, but it's suggested that I might know people I've only contacted through employer emails (completely unrelated to my contacts and industry), or even only contacted by phone! I feel it's gotten worse since they went public. I hope they get their ass kicked in court, I'll be following this case closely.
Same happened to me last week. And zero shared connections. My only guess lead is that they knew we went to the same school around the same time and work in a related profession.
But I suspect something more nefarious... not that it stopped me from sending a request because, y'know... hey! old friends!
SWM seeks new sig for a brief fling