
Has LinkedIn lost control of its user email database? - ColinWright
The email address that I created exclusively for my (much reviled) LinkedIn account has just received a virus.  Does this mean their database of user emails has been leaked?  Compromised?  Sold?<p>Or are their systems just sufficiently poor that the email has leaked through other means?
======
0898
Your connections can see your email address:
[http://www.ianharris.com/linkedin-email/](http://www.ianharris.com/linkedin-
email/)

~~~
jaebrown
WOW!!! Didn't know that. It could explain why connecting with someone you know
is so important. When I think about it: Here is a situation that has a
happened a couple of times in the past couple of years: Someone request to
connect with me, we have a lot of the same connections and they really look
like an all-star but there is no picture. I connected on the feeling "Why Not,
a lot of my connections are connected to this person". I then get emails as if
I subscribed to a much smaller service similar to a Monsters.com or Dice.com
for technology related positions. I also get recruiters sending me emails for
directly, and in one instance a recruiter called the main line to my employer
and asked to speak with me and got transferred over.

I've always wondered how these things were taking place but never took the
time to investigate because of how infrequent the occurrences were. It usually
takes a while to unsubscribe from these services via email, so I just mark as
SPAM. I just looked and they're still sending stuff, at least some are. I just
removed all people I didn't know from shaking their hand from my connections;
which includes recruiters that only request invitation to connect to talk
about a job opportunity.

I wonder if LinkedIn knows about this sort of Growth Hacking type of SPAM or
just doesn't care?

~~~
kromodor
In a way it leaves the impression that they know it. They put the export
option there.

------
larzang
How could you tell the difference from the regular LinkedIn experience?

------
spindritf
Speaking of e-mail leaks, has Tumblr?

I started receiving spam (the dumbest, v1agra type) to tumblr@mydomain.tld
which I think I have only used for tumblr and years ago since I let my account
be purged at some ToS change a while back. Although I might have also used it
for a service merely associated with tumblr.

~~~
ibmthrowaway218
There's a good chance that tumblr@example.org is going to be a real account.

If you started getting spam to tumblr.w8ke2iowieiu3k3@example.org then I'd be
suspicious. (I must remember to do this for new things I sign up to.)

~~~
ColinWright
This is similar in principle to the compromised address, which is why, despite
the downvotes I'm getting elsewhere[0][1], I'm fairly confident that this
isn't just a dictionary or a fishing attack, but a genuine leak. Other
comments suggest that the leak my not be from LinkedIn themselves, but simply
from their business model/systems leaking information.

[0]
[https://news.ycombinator.com/item?id=8367103](https://news.ycombinator.com/item?id=8367103)

[1]
[https://news.ycombinator.com/item?id=8367296](https://news.ycombinator.com/item?id=8367296)

~~~
skuhn
In my case, both linkedin and tumblr e-mail addresses have been leaked
somehow. It was definitely not a simple dictionary attack, based on the
addresses I used.

------
smtddr
Ya know, in the past 2 weeks I got "cold-call" emailed from recruiters
_directly_ to my personal email; not through LinkedIn's InMail feature. One
from life360.com and another from jut.io. That hasn't happened to me in over 6
years and the recruiters seem to know what my LinkedIn profile info says. But,
it's a gmail and I know that if you get my gmail from anywhere and put it into
"[https://plus.google.com/u/0/up/search"](https://plus.google.com/u/0/up/search"),
you can find my G+ which links to my LinkedIn.

I've been wondering how they got my email...

~~~
laxatives
There are several companies that work on crawling public pages and matching
profiles to identities to provide recruiters work experience, phones, and
emails like entelo and gild.

------
Joeboy
I generally register to every service with a different email address. The main
ones I get spam to are the ones for Adobe, Groupon, Lastfm, Linkedin and oddly
Battersea Arts Centre.

Edit: That's based on a quick look in my spam folder, not anything
statistically sound.

------
JohnTHaller
Could be. Or it could be a server on either end. Or a connection in between.
Email is inherently insecure. So, even though you have an SSL connection to
your server when you send your email and they have an SSL connection to their
server when they receive it, your two servers make a plaintext connection to
actually send the email from one to the other.

~~~
rbxs
Or a tool that just generates random mailaddresses ending with a popular
e-mailprovider domain.

~~~
ColinWright
The email to which I'm receiving viruses and spam is not of that form.

Edit: To those who are downvoting - the comment to which I'm replying says:

    
    
        > Or a tool that just generates random
        > mail addresses ending with a popular
        > e-mail provider domain.
    

Firstly, the address does not end with the domain of a popular e-mail
provider, hence the email address to which I'm receiving these unwanted emails
is not of that form. Thus my reply is true, and informative.

It's also neither a random user at the domain, nor a dictionary element, nor a
simple variant on a dictionary element, nor short, nor public (until now), nor
falls into any of the formats I see and deduce from the dictionary attacks on
the servers I run. And it is long, and has internal structure. Thus is is,
again, not of the form being described in my comment.

So thank you for the down-votes, but I feel that my comment is true, relevant,
and justified.

~~~
vidarh
Have you _ever_ replied to a message sent to you from someone via LinkedIn? If
so, it's easy to end up sharing your e-mail address with that someone, and
good chance that someone has leaked the address on somewhere - whether by
copying into a contact manager in their e-mail and being compromised, or
letting some site or other log in to their Linked In account.

~~~
ColinWright

      >>> Or a tool that just generates random
      >>> mail addresses ending with a popular
      >>> e-mail provider domain.
    
      >> The email to which I'm receiving viruses
      >> and spam is not of that form.
    
      > Have you ever replied to a message sent to
      > you from someone via LinkedIn? If so, it's
      > easy to end up sharing your e-mail address
      > with that someone ...
    

While what you say is true, it's a non-sequitur. It's possible that I have
replied to someone, and it's possible that they leaked it, but that has
nothing to do with classic dictionary attacks, and the fact that such is
unlikely to have succeeded with the address that's been leaked.

Perhaps you intended to reply to a different comment.

 _Edit: To those who are down-voting this - thank you for the reality check. I
don 't understand why you think my comment is of negative value, but it
reminds me that not everyone thinks the same way._

~~~
vidarh
I said nothing about dictionary attacks. It's not a non-sequitur at all, the
point was to offer another, alternative suggestion to how it might have
happened.

And while I didn't downvote you, if I'd seen a reply like this to someone
else, I might very well have done so rather than bother to reply, seeing as
you've quoted three paragraphs just to dismiss a valid suggestion because you
for some reason don't think it fits in this location in the thread.

~~~
ColinWright

      > I said nothing about dictionary attacks.
    

Indeed, and given that this particular exchange was talking about dictionary
attacks, that is why I thought your comment was a non-sequitur. It didn't seem
to follow naturally from the comments above, and seemed out of place, which is
why I wondered if you really had intended to reply there.

    
    
      > It's not a non-sequitur at all, the point was
      > to offer another, alternative suggestion to how
      > it might have happened.
    

That was being done in other comments elsewhere. Again, that's why I thought
your comment seemed misplaced in this particular branch, albeit absolutely
correct.

    
    
      > And while I didn't downvote you, ...
    

I know that - you can't downvote a reply to one of your comments.

    
    
      > ... if I'd seen a reply like this to someone
      > else, I might very well have done so rather
      > than bother to reply, seeing as you've quoted
      > three paragraphs just to dismiss a valid
      > suggestion because you for some reason don't
      > think it fits in this location in the thread.
    

I didn't quote those comments to dismiss your contribution. Indeed, I said
"... what you say is true ...". My quoting was to try to point out why I was
wondering about the placement of your comment.

So to re-iterate, I didn't dismiss your comment, I just thought it would be
better placed where others were already making the same or similar points. I'm
sorry I didn't make myself clearer, and apologise.

Thank you for taking the time to explain.

------
incision
Coincidentally, in the past two weeks - this week in particular I've been
seeing a load of crap sent to my address registered with LinkedIn which is
otherwise spam-free.

I'd guess it's related to LinkedIn or GitHub as this particular address is
only publicly/semi-publicly used on those two sites.

~~~
realusername
I also had the same problem, I've received 2/3 spams to the linkedin address
in the past two weeks and never received any before.

They are also passing the gmail filter which is quite impressive in itself.

------
zippergz
I thought LinkedIn had a contact sync app that people can run to pull all of
their LinkedIn contacts into their own address book. If so, could it be that
one of your connections ran that, and their machine is compromised?

------
0x0
It leaked a year or two ago. I had to change my listed address and SMTP REJECT
the old one due to the amount of spam it received. Glad I had listed a
linkedin-specific address that I could burn.

------
kiwifree
I am highlighting very dirty technique used by LinkedIn. LinkedIn mined my
emails without my consent. I have four separate gmail accounts to keep things
separate. I am 200 % sure I never linked other three gmail accounts on
linkedin. LinkedIn used my current email id , went through all of my emails ,
matched it with other gmail accounts, mined other gmail accounts and started
forcing me to accept contacts from mined data. Its very hideous way to
increase member count. I now wonder is almost every San Francisco company is
highly unethical ? Be it google , Uber, Yelp, LinkedIn on and on. Why american
business can't be honest with their customers?

~~~
dublinben
These companies are generally abusive to their 'users' because their real
customers are different. Google and Yelp's customers are advertisers, who want
access to your information and attention. LinkedIn's customers are obnoxious
recruiters who want to farm your information and contacts.

------
kromodor
There are days in which I ponder what made LinkedIn a success. It was
obviously not their UX.

------
mahouse
Some spammers send spam to made up email addresses, hoping someone will
receive it.

------
FractalNerve
I got spam after adobe got hacked... never received a single spam mail before.
Wish Adobe had to pay for that! But I'm afraid to register at LinkedIn,
because that means I'd to give the last remaining bit of privacy just to get a
job. There must be another way to connect to the right people...

