Slashdot Mirror
LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts
cold fjord writes with this Business Week report: "LinkedIn Corp. ... was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts' addresses. The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site ... 'LinkedIn's own website contains hundreds of complaints regarding this practice,' they said in the complaint filed Sept. 17. ... LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open ... 'LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn's servers,' they said. 'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'"
"This puts an interesting twist on LinkedIn's recent call for transparency," adds cold fjord. (More at Bloomberg.)
It was embarrassing and prompted me to close the account. Clearly a violation of privacy. I think at the time I used the same password as for my email account.
They probably exploited that many of their customers used the same password for their site and the email account.
Which makes the linked-in customers idiots. However: if this is what linked-in have done then they should be prosecuted to the fullest extent of the law, in the UK that would be under the computer misuse act, those responsible should be extradited from the USA if necessary. I am not talking about some minion in a technical department but the director who was responsible.
I know LinkedIn offers to read your existing email accounts for contacts, so that you can connect to them, but you can just ignore that. It isn't mandatory, but if you don't read what it says on screen, you might think it is. So I'm more inclined to suspect that's what happened: the complainant entered his email address and password when prompted, and now thinks he's been hacked.
(this is not a
I certainly noticed LinkedIn had access to my email sent-lists, but after logging into it a thousand times it's hard to know for sure I didn't check, or fail to check, a box that comes up asking my permission to do so. It just takes one time. Maybe this case will succeed, I'm afraid I've succumbed to thinking we have no more privacy or right to cover our tracks than we did walking past gossipy women in medieval villages. LinkedIn, Google, and Facebook have become the modern day cyber-Yentas, sometimes aggravatingly meddlesome, sometimes making a lifelong connection.
Submitted by Anonymous Coward on Saturday September 21, 2013 @09:55AM. Oh shoot...
Gently reply
This is a case of confusing UI defaults, I think, but given that *I* also got caught by it (and was mortified), even though LinkedIn isn't "hacking" anybody, I don't have a lot of sympathy for them (LinkedIn--have enormous sympathy with the users, even though I suspect their case won't stand up in court).
Here's what I think happened to me (as best I can remember...I'm not about to try to reproduce it): Yeah, sure, look for my contacts (provide Gmail username/password...all assurances are given they won't email anyone without your permission blah blah). LinkedIn shows you a list of a few dozen (IIRC) contacts in a frame (possibly those you most recently exchanged email with?); I deselected all of those and then carefully went through and selected a very small subset I actually wanted to "connect to." Once I've done that, I hit submit (or whatever) and get some confirmation, "We're going to send the invite, okay?" Yeah, sure...it's only sending to a few people, right? SOMEWHERE on that confirmation (again, IIRC) is a checkbox that alludes to the fact that, oh? All the contacts you DIDN'T unselect--IN YOUR ENTIRE CONTACTS LIST--are gonna get an email. Got to the next screen and it said something like "200 emails sent" and the expletives flew. (I can see missing that message...it was small.) Of course I was doing this process while I was watching TV or something--it didn't have my full attention--but the behavior was SO counter to my expectations of opting-in I was floored.
I can see why users would think LinkedIn "stole their contacts when their email was left open"--they're thinking that subset-selecting frame is the only time LinkedIn is (transparently) accessing their account (and therefore shouldn't do anything with contacts that don't appear in that frame, which makes sense in terms of user expectation).
When random people I know only slightly and who don't know my skill set are allowed to "endorse" me for knowledge and training they don't know that I have, it makes the whole of LinkedIn worthless to me except as a source of phone numbers. And often those are not even available. It has become Facebook with a clip-on tie.
If Slashdot were chemistry it would look like this:Cadaverine
I already forgot what I did on Linkedin when I joined it several years ago, but didn't we all gave them our contact lists voluntarily so they will check if our acquaintances have it? May be I am confusing this with Google+
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Working in the Corporate world, I've seen this happen to people before. They sign up on LinkedIn, suddenly everyone on their contacts list starts getting "invites".
All the examples I've personally seen were people who accessed LinkedIn on a smartphone. One co-worker suddenly started spamming invites to a couple distribution lists at the company.... he had just logged in using his work-supplied phone and it scraped his contact list. And since he's always 'logged in' with the work email, it started scraping the entire company directory.
We awarded them with a permanent spot on our spam Blacklist, and blackholed their IP space.
Their client side code is running in the same web browser than the user logged in to that user's web based email with. It's a browser security issue. Once they know the domain in your email address, they know how to watch you for when you login to your email web site. They don't need the password since it is already logged in. They can't get the password used, but they can get the email contact list, and the contents of the email you are currently reading.
now we need to go OSS in diesel cars
That was what I was thinking. They probably used something similar to the "Yahoo Porn Bug" that I wrote about in my journal in which some porn sites were using a hidden iFrame to get into yahoo using auto-complete and between that and using an open session cookie that would cover a pretty good chunk of the users.
I'm just glad I gave them my spamdump email and quit using it after a month or so, that place seemed awful spammy to me and if you can't keep your site going without spamming folks? Then frankly you probably aren't worth messing with in the first place.
ACs don't waste your time replying, your posts are never seen by me.
Linkedin suggests numerous names of people I know but have never exchanged emails with. It even suggested the name of my kid's girlfriend and kid's last name doesn't match mine and we have no common links on linkedin. I've limited my links to old co-workers from AT no family, no friends. There is no possible way they could have accessed my email because it requries an ssh login to a firewall server with a different userid and password, then an ssh connection to the mail server with yet another password. Those passwords are also different than my linkedin password. I'm not on any social media sites except linkedin and slashdot. Neither my slashdot name nor password matchs linkedin name or password. There has to be some data mining going on but it's not through email and not through any other social media. I have noticed that others from the companies I've worked for shown up in the suggestions including people I've never met. I'm not sure why they keep suggesting Texas people who worked for AT&T when I've only been in Michigan. It looks like they could have gotten my email contact list but I know they couldn't have. So I'm thinking that others seeing their email contacts show up might just be mistaken on how linkedin got the names.
Dyslexics Untie!
I don't use web based email. That being said they can;t do what you are claiming they can on any modern browser as far as I know. Do you know of a modern browser that doesn't enforce a same-origin policy?.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I've seen other names come up in LinkedIn that could only be via my Google contacts.
Or, LinkedIn could just have an insanely good algorithm. I was recently presented with a "someone you might know" when I logged in to LinkedIn, and I did know them, but I have no clue how LinkedIn figured it out.
They had just joined LinkedIn in the past week. They used a different e-mail address (different provider/domain) from the one I contact them with and the e-mail address they contact me with isn't the one that LinkedIn has for me. I don't use any webmail (host my own e-mail and access via imap) and so LinkedIn can't get any contacts from me, even if they did "hack my e-mail" (which is unlikely as my e-mail username isn't the e-mail address they have for me and the password for my actual account isn't the same as my LinkedIn login). All of their links at the time were people from their new work (I don't work with them...they are just a friend).
So, basically, LinkedIn had no direct way to connect us, yet it did.
Not quite true. When I opened a Facebook account several years ago, I registered using my Yahoo account. I know how often I have changed my password and there are some specific times when I have changed all my passwords when I have had a virus or a rabid g/f using my computer. Facebook manages to recommend people that have been added to my Yahoo contacts since the password has been changed and they have no legitimate way of knowing who I add. I only use Yahoo for work contacts and use Gmail for my friends but none of my new Gmail contacts get recommended to me. The contacts on Yahoo are not contacts of my friends who are contacts on Gmail. I am absolutely certain that Facebook has access to my Yahoo contacts in the way that these guys are certain that LinkdIn is doing to them. I assume that Yahoo etc. allow this to happen and now I always use throw away address.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
No, you are wrong, no 'all' students, only US students. We don't have that 3rd world stuff in the UK.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
The part after "@" gives them all the info they need (e.g. @gmail.com @yahoo.com).
No, it doesn't. That gives you enough info to look up the MX (or if lacking that, A) records in DNS to find out where to send mail to. It doesn't tell the address of the server where the user accesses the delivered mail.
I'm myname@somecompany.com, but to fetch mail, I have to go to na-pop3.othercompany.com
And even then, there's no address book available over the pop3 protocol. Just my mail.
I'd say it's more likely that one of your friends is allowing Facebook to scrape their email account and you are getting associated in that way. There's no need for them to hack your account when they can get all that data from someone else. No matter how much we try to keep our privacy, it's easily destroyed when one of our connections gives up all their data.
I am in a similar situation where I have a couple of Google Apps accounts that I ONLY use for work-related purposes. NOTHING ELSE. Never authorise anything to use them keep it all on my personal. Sure enough LinkedIn has slurped some contacts from sent items. I use different passwords for everything. I hardly have even used LinkedIn, much less with a work related email account open (I hardly open them). The ONLY way they could have stole it (That is the only thing running at the same time) would be a mobile app either from my Android or iOS device. I have these work accounts set up permanently on these devices and foolishly it seems loaded the LinkedIn app.
Funny enough ALL these email accounts have been getting spam lately from "Dr OZ" to their actual address, which is strange when I use disposable email addresses for EVERYTHING, including client contact. The only thing I use the actual address for is to log in and set up the mail client. These email addresses must have been slurped from a mobile app, not sure if it was LinkedIn or another app.