Slashdot Mirror
LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts
cold fjord writes with this Business Week report: "LinkedIn Corp. ... was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts' addresses. The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site ... 'LinkedIn's own website contains hundreds of complaints regarding this practice,' they said in the complaint filed Sept. 17. ... LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open ... 'LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn's servers,' they said. 'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'"
"This puts an interesting twist on LinkedIn's recent call for transparency," adds cold fjord. (More at Bloomberg.)
It was embarrassing and prompted me to close the account. Clearly a violation of privacy. I think at the time I used the same password as for my email account.
They probably exploited that many of their customers used the same password for their site and the email account.
Which makes the linked-in customers idiots. However: if this is what linked-in have done then they should be prosecuted to the fullest extent of the law, in the UK that would be under the computer misuse act, those responsible should be extradited from the USA if necessary. I am not talking about some minion in a technical department but the director who was responsible.
I know LinkedIn offers to read your existing email accounts for contacts, so that you can connect to them, but you can just ignore that. It isn't mandatory, but if you don't read what it says on screen, you might think it is. So I'm more inclined to suspect that's what happened: the complainant entered his email address and password when prompted, and now thinks he's been hacked.
(this is not a
'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'
I certainly noticed LinkedIn had access to my email sent-lists, but after logging into it a thousand times it's hard to know for sure I didn't check, or fail to check, a box that comes up asking my permission to do so. It just takes one time. Maybe this case will succeed, I'm afraid I've succumbed to thinking we have no more privacy or right to cover our tracks than we did walking past gossipy women in medieval villages. LinkedIn, Google, and Facebook have become the modern day cyber-Yentas, sometimes aggravatingly meddlesome, sometimes making a lifelong connection.
Submitted by Anonymous Coward on Saturday September 21, 2013 @09:55AM. Oh shoot...
Gently reply
This is a case of confusing UI defaults, I think, but given that *I* also got caught by it (and was mortified), even though LinkedIn isn't "hacking" anybody, I don't have a lot of sympathy for them (LinkedIn--have enormous sympathy with the users, even though I suspect their case won't stand up in court).
Here's what I think happened to me (as best I can remember...I'm not about to try to reproduce it): Yeah, sure, look for my contacts (provide Gmail username/password...all assurances are given they won't email anyone without your permission blah blah). LinkedIn shows you a list of a few dozen (IIRC) contacts in a frame (possibly those you most recently exchanged email with?); I deselected all of those and then carefully went through and selected a very small subset I actually wanted to "connect to." Once I've done that, I hit submit (or whatever) and get some confirmation, "We're going to send the invite, okay?" Yeah, sure...it's only sending to a few people, right? SOMEWHERE on that confirmation (again, IIRC) is a checkbox that alludes to the fact that, oh? All the contacts you DIDN'T unselect--IN YOUR ENTIRE CONTACTS LIST--are gonna get an email. Got to the next screen and it said something like "200 emails sent" and the expletives flew. (I can see missing that message...it was small.) Of course I was doing this process while I was watching TV or something--it didn't have my full attention--but the behavior was SO counter to my expectations of opting-in I was floored.
I can see why users would think LinkedIn "stole their contacts when their email was left open"--they're thinking that subset-selecting frame is the only time LinkedIn is (transparently) accessing their account (and therefore shouldn't do anything with contacts that don't appear in that frame, which makes sense in terms of user expectation).
Wouldn't that also imply clear-text password storage at the LinkedIn end? In itself quite a bad revelation if that is the case.
When random people I know only slightly and who don't know my skill set are allowed to "endorse" me for knowledge and training they don't know that I have, it makes the whole of LinkedIn worthless to me except as a source of phone numbers. And often those are not even available. It has become Facebook with a clip-on tie.
If Slashdot were chemistry it would look like this:Cadaverine
When we were student and all student say every morning
I pleadge allegiance to the flag of the united states of America and to the republic which it stands one nation under god indivisible with liberty and justice for ALL.
Is an national embarrassment and a flat out lie. Its Liberty and Justice for all who can afford it.
Jack of all trades,master of none
Uh, better yet, Don't use LinkedIn it's a dumping ground for people who pad their Resumes (CVs).
Harrison's Postulate - "For every action there is an equal and opposite criticism"
I already forgot what I did on Linkedin when I joined it several years ago, but didn't we all gave them our contact lists voluntarily so they will check if our acquaintances have it? May be I am confusing this with Google+
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Working in the Corporate world, I've seen this happen to people before. They sign up on LinkedIn, suddenly everyone on their contacts list starts getting "invites".
All the examples I've personally seen were people who accessed LinkedIn on a smartphone. One co-worker suddenly started spamming invites to a couple distribution lists at the company.... he had just logged in using his work-supplied phone and it scraped his contact list. And since he's always 'logged in' with the work email, it started scraping the entire company directory.
We awarded them with a permanent spot on our spam Blacklist, and blackholed their IP space.
Their client side code is running in the same web browser than the user logged in to that user's web based email with. It's a browser security issue. Once they know the domain in your email address, they know how to watch you for when you login to your email web site. They don't need the password since it is already logged in. They can't get the password used, but they can get the email contact list, and the contents of the email you are currently reading.
now we need to go OSS in diesel cars
That was what I was thinking. They probably used something similar to the "Yahoo Porn Bug" that I wrote about in my journal in which some porn sites were using a hidden iFrame to get into yahoo using auto-complete and between that and using an open session cookie that would cover a pretty good chunk of the users.
I'm just glad I gave them my spamdump email and quit using it after a month or so, that place seemed awful spammy to me and if you can't keep your site going without spamming folks? Then frankly you probably aren't worth messing with in the first place.
ACs don't waste your time replying, your posts are never seen by me.
Linkedin suggests numerous names of people I know but have never exchanged emails with. It even suggested the name of my kid's girlfriend and kid's last name doesn't match mine and we have no common links on linkedin. I've limited my links to old co-workers from AT no family, no friends. There is no possible way they could have accessed my email because it requries an ssh login to a firewall server with a different userid and password, then an ssh connection to the mail server with yet another password. Those passwords are also different than my linkedin password. I'm not on any social media sites except linkedin and slashdot. Neither my slashdot name nor password matchs linkedin name or password. There has to be some data mining going on but it's not through email and not through any other social media. I have noticed that others from the companies I've worked for shown up in the suggestions including people I've never met. I'm not sure why they keep suggesting Texas people who worked for AT&T when I've only been in Michigan. It looks like they could have gotten my email contact list but I know they couldn't have. So I'm thinking that others seeing their email contacts show up might just be mistaken on how linkedin got the names.
Dyslexics Untie!
I don't use web based email. That being said they can;t do what you are claiming they can on any modern browser as far as I know. Do you know of a modern browser that doesn't enforce a same-origin policy?.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I've seen other names come up in LinkedIn that could only be via my Google contacts.
Or, LinkedIn could just have an insanely good algorithm. I was recently presented with a "someone you might know" when I logged in to LinkedIn, and I did know them, but I have no clue how LinkedIn figured it out.
They had just joined LinkedIn in the past week. They used a different e-mail address (different provider/domain) from the one I contact them with and the e-mail address they contact me with isn't the one that LinkedIn has for me. I don't use any webmail (host my own e-mail and access via imap) and so LinkedIn can't get any contacts from me, even if they did "hack my e-mail" (which is unlikely as my e-mail username isn't the e-mail address they have for me and the password for my actual account isn't the same as my LinkedIn login). All of their links at the time were people from their new work (I don't work with them...they are just a friend).
So, basically, LinkedIn had no direct way to connect us, yet it did.
Bah! Rushing through things. My AC post was the one where I declined to give them access to my contacts list and they disregarded my selection and spammed everyone whom I ever corresponded with.
Not quite true. When I opened a Facebook account several years ago, I registered using my Yahoo account. I know how often I have changed my password and there are some specific times when I have changed all my passwords when I have had a virus or a rabid g/f using my computer. Facebook manages to recommend people that have been added to my Yahoo contacts since the password has been changed and they have no legitimate way of knowing who I add. I only use Yahoo for work contacts and use Gmail for my friends but none of my new Gmail contacts get recommended to me. The contacts on Yahoo are not contacts of my friends who are contacts on Gmail. I am absolutely certain that Facebook has access to my Yahoo contacts in the way that these guys are certain that LinkdIn is doing to them. I assume that Yahoo etc. allow this to happen and now I always use throw away address.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
I do use the same browser to log into gmail as I use for LinkedIn, yet, LinkedIn has never mined my gmail contacts. LinkedIn keeps nagging me to give it my gmail password so that it can mine my gmail contacts and I nearly did this once because of the less than clear information on the page. So, for the people who are complaining, either:
1. LinkedIn tried using their LinkedIn password against theim email login, or:
2. they misread the LinkedIn page and explicitly gave LinkedIn permission to mine their contacts.
note that option 1 implies that LinkedIn stores clear text passwords, contrary to claims made by LinkedIn in 2012 when some users' passwords were stolen.
The real "Libtards" are the Libertarians!
Help help, I am the real Astronomerguy. The person above hacked my LinkedIn account. Please contact Cyberpolice.
Which would require clear text storage of LinkedIn passwords. In 2012 when there was a compromise, LinkedIn claimed that they stored an unsalted hash.
The real "Libtards" are the Libertarians!
And you got displayed an allow application screen Stating "The site www.linkedin.com is requesting access to your Google Account for the product(s) listed below. ....
Google Contacts
And you clicked Grant Access: possibly without reading and understanding the fine print of the service agreement, or clicking the LEARN MORE link
And your I don't really care about my privacy attitude is Linkedin "hacking" your account?
How is it fair to imply Linkedin has all the due care burden regarding your privacy, and YOU HAVE NONE?
If you don't care about your privacy you are eventually going to get burned
They could have posted a privacy policy stating We can share all your details, including personal identifying information, browsing history, click history, ALL EMAIL MESSAGES IN YOUR MAILBOX, Sent Mail, Mail folders, etc, with anyone and everyone; at our sole discretion, and you would have never noticed.
No, you are wrong, no 'all' students, only US students. We don't have that 3rd world stuff in the UK.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
The part after "@" gives them all the info they need (e.g. @gmail.com @yahoo.com).
No, it doesn't. That gives you enough info to look up the MX (or if lacking that, A) records in DNS to find out where to send mail to. It doesn't tell the address of the server where the user accesses the delivered mail.
I'm myname@somecompany.com, but to fetch mail, I have to go to na-pop3.othercompany.com
And even then, there's no address book available over the pop3 protocol. Just my mail.
"Maybe they used a cookie for an email session that was already opened by the browser?"
Unlikely.
If they were doing this at all, I'd give you 10 to 1 they were just trying the external email accounts using the same passwords the users use on LinkedIn. That's easy, and it would likely have a success rate of 50% or even more.
More troubling: if that's what they did it implies that LinkedIn stores your password in plaintext somewhere.
Funny. I hadn't read these comments but I came to the same conclusion. I think that's likely what they did, and yes that implies that they have users' passwords in plaintext.
I'd say it's more likely that one of your friends is allowing Facebook to scrape their email account and you are getting associated in that way. There's no need for them to hack your account when they can get all that data from someone else. No matter how much we try to keep our privacy, it's easily destroyed when one of our connections gives up all their data.
The problem is that mostly this stuff is given voluntarily. It's just not given by you. You voluntarily connect with person A, for good reasons. And then person A for reasons that seem good to them (maybe because in their work the connections they have has an impact on their income) makes it public that they're connected to you. Then for good reasons they connect to person B. And person B is careless, or doesn't think, and they let a site siphon up their connections. Presto, that site now knows about your connection to person A.
The basic problem is that "voluntary" is transitive and "private" is not, but we treat it as if it's the other way around.
I am in a similar situation where I have a couple of Google Apps accounts that I ONLY use for work-related purposes. NOTHING ELSE. Never authorise anything to use them keep it all on my personal. Sure enough LinkedIn has slurped some contacts from sent items. I use different passwords for everything. I hardly have even used LinkedIn, much less with a work related email account open (I hardly open them). The ONLY way they could have stole it (That is the only thing running at the same time) would be a mobile app either from my Android or iOS device. I have these work accounts set up permanently on these devices and foolishly it seems loaded the LinkedIn app.
Funny enough ALL these email accounts have been getting spam lately from "Dr OZ" to their actual address, which is strange when I use disposable email addresses for EVERYTHING, including client contact. The only thing I use the actual address for is to log in and set up the mail client. These email addresses must have been slurped from a mobile app, not sure if it was LinkedIn or another app.
This is true. That is exactly what they do. They even check CC: headers to see what sort of link you have and weed out the mailing list sender addresses and stuff. Since the amount of people allowing LinkedIn access to their account is so big, even if you don't give them access to yours, they will still be able to figure out about 80% of your contact list. This company is extremely good at "Big Data" and correlating it. It's why their platform is the most popular and by far the biggest "business contact" social media network.
I've had it explained by them a while ago when I asked them to remove everything they pulled from my e-mail account. They had stuff that they couldn't have pulled from there and I never gave them permission to get. They then explained that they most likely got it from the other party involved and that they do a lot of correlation on the stuff they harvest to come up with possible matches.
Even though I don't approve of what Linkedin is doing, it's not illegal (in the USA) and I really doubt that these people Sueing them will get anything out of this case. I think it may be illegal in some countries in Europe because gathering personal information on people if they are not a user or customer of your services is illegal there. They are one of the companies that are known to keep "ghost profiles" (Google and FaceBook do too) of you. I have yet to see any of them brought to court in those European countries, but I doubt they'd win a properly prepared case there.
I was promised a flying car. Where is my flying car?
And even more troubling, it would be a serious violation of the law in many states to do so.
Just because you learn both my email address and password doesn't give you authority to log in.
If Google can prove they did log in, that alone might be enough for a huge lawsuit.
Personally I suspect the Linkedin Android App slurps your addresses from the phone, but I'n not about to install it and find out.
My spam folder is full of Linkedin invitations.
Sig Battery depleted. Reverting to safe mode.
After this happened with my yahoo contact list, I changed my linkedin e-mail to a non-yahoo email. I received a message from linkedin that they could not access my contact list and they told me to change my e-mail service provider.