
LinkedIn sued by users who say it hacked their e-mail accounts - shawndumas
http://arstechnica.com/tech-policy/2013/09/linkedin-sued-by-users-who-say-it-hacked-their-e-mail-accounts/
======
cubicle67
I deleted my LinkedIn account some time back, but I still get email like this
(copy from actual email, not paraphrased)

Subject: [Freind]'s invitation is awaiting your response

Body: [Friend] would like to connect on LinkedIn. How would you like to
respond?

[Photo of friend] Confirm you know [Friend]

... and ...

Subject: Invitation to connect on LinkedIn

Body: [Photo of friend]

[Me],

I'd like to include you in my network to share updates and stay in touch.

\- [Friend]

All emails sent from friend's email account, _not_ LinkedIn. I've confirmed
with friend that they were completely unaware of this and were quite
embarrassed.

Not cool, LinkedIn, and most definitely dishonest.

~~~
michh
Same. Cancelled my account a year ago, still getting those emails. The worst
part? Actually considering getting a new account, as I've been told by
multiple people not having a LinkedIn account is 'suspicious' and that it's
costing me job opportunities. Genuinely wishing someone would make a (less
evil) LinkedIn-killer. At least for the tech world. Was hoping Stackoverflow
Careers would do that, but sadly that hasn't happened.

~~~
malandrew
Why don't you just make a completely empty account with a throwaway email
account that tells people not to trust linkedin and pointing them to a place
on the web that you control?

~~~
michh
that is not exactly perceived well by the average HR/recruiter.

------
andmarios
I abstain from LinkedIn deliberately and I can confirm that I am sick from
their spam.

Every time a friend joins their network, I get tons of “invitations to
connect”, despite the fact that I have “unsubscribed” from their spam-list (to
which I never subscribed in the first place) enough times.

Real professionals should not need spammy social networks to prove themselves.

~~~
jlgreco
> _Real professionals should not need spammy social networks to prove
> themselves._

Yup. As far as I can tell/am concerned, the old fashioned
'meatspace'-networking method never stopped working.

I get recruiter spammed without them, so even for that they don't seem
necessary.

------
fragsworth
This is somewhat off-topic, but has anyone felt like they are "typecast" into
a certain industry or job position by their LinkedIn profiles?

What if you don't want to stay with the same industry for the rest of your
life? All your contacts probably already endorsed you for your skills in a
that industry. It seems like a situation that increases friction in trying to
move between fields, industries, and job positions.

Should you delete your profile? Would it seem weird to potential
employers/business relationships that you are missing a LinkedIn profile?

I think this will become a more visible problem in the near future.

~~~
yeukhon
How does it harm your future? It's nice to have someone who has multiple
skills.

~~~
stephengillie
To some people, having multiple skillsets means you're unfocused, because you
haven't focused on a single skillset.

~~~
louthy
And those people aren't worth working for.

~~~
alok-g
Unfortunately, they seem to be the majority.

------
daviddaviddavid
The "People You May Know" feature of LinkedIn is downright disturbing.
Everyone in my third-party email's Address Book shows up as a person I may
know. This includes people without LinkedIn accounts, people who've been dead
for years that I never removed, people that I've only ever exchanged a single
email with.

I never gave LinkedIn my email creds (I'm astounded that they have the gall to
ask for my email password). Also, it is 100% inconceivable to me that all of
these people would have given LinkedIn access to their email accounts.

~~~
Aloisius
People without LinkedIn accounts? Are you quite certain? I worked at LinkedIn
and know exactly how People You May Know used to work (I've looked at the
code). Unless they changed something in the last couple years (and given their
dev cycle, I doubt it), every single person who it recommends has signed up to
LinkedIn. Of course, I heard people make these claims while I worked there
too.

Also, it really isn't that hard to guess how it works (hint: are you sure you
need every single person to give address books access to build a graph?).

~~~
officemonkey
My friends cats (who have email addresses but have never signed up on
Linkedin) show up as "People You May Know."

Explain that one.

~~~
lostlogin
What an appropriate comment for your username. I'm still trying to figure out
what LinkedIn have done to my email, but basically my wife and I are inundated
with spam from them. It's non stop. I only signed up to learn more about the
person who hit our car and has been slow to pay. It was helpful, but despite
opting out of every option I could, somehow its learnt that my wife exists and
is nailing us both with spam.

~~~
ZoF
Apply a spam filter...?

------
wfunction
I used to think people were just being ignorant, and that if they had read the
screen they would've known to not give out their passwords.

Then I got a LinkedIn account and almost got tricked into typing my
credentials... it was only when the Google authorization screen came up that I
realized what had happened.

~~~
rgbrenner
_Then I got a LinkedIn account and almost got tricked into typing my
credentials_

More detail needed here. how did they almost trick you? what did they say or
what did they display that made you think it was something different.

surely when you were entering the details, it was still clear you were on
linkedin's website? No? (this is a genuine question.. I don't have a linkedin
account)

~~~
wfunction
Right after you log in, they display a page that looks almost exactly like a
login page asking for your email address and password.

I didn't read the page -- I assumed it was either a "verify your email" or
"authentication failed" page of some sort, so I entered my Gmail email address
and password. (No, I didn't enter my Gmail password. Read below.)

There is REALLY easy-to-miss "skip" link (I forget the exact text) on the
page, but the page looks so much like a login window or "verify your address"
window or some other window like that that you don't realize it (and think the
"skip" link is probably saying something typical like "Forgot your
password?"), so you go ahead and type your credentials -- even though you've
already logged in.

The only thing that saved me was the fact that Google asked me if I wanted to
"Allow Access" or not, and that made my heart skip a beat and I finally
realized what had happened. Thanks Google.

The scary part is that you DON'T have to type in your Google password for this
to work! In fact, I typed in my LinkedIn password (I'm not quite stupid enough
to type in my Google password on LinkedIn's website) -- but Google still
popped up a window asking me for permission, because I was already logged into
Google and it didn't even bother checking my password.

So LinkedIn almost got my permission without me ever entering my Gmail
password... I almost granted access (thinking it might have been an OpenID
thing) before I came to my senses and thought, WTF just happened right now?!
Hell no!

~~~
Aloisius
_I didn 't read the page -- I assumed_

This is really the heart of it isn't it? Even if LinkedIn has text in a 40pt
font that says, "Import your address book, we're going to log into your email
account and download your contacts so that we can link you with them and here
is exactly what we're going to do with them," you probably still wouldn't have
read it.

~~~
benologist
LinkedIn went _significantly_ out of their way to position and format that
page to phish people. I used to fall for it periodically because I just
assumed I'd been signed out and my linkedin credentials were pre-filled in
waiting to fail to gain access to my email fortunately. That is the heart of
it.

If they'd put a 40pt font message, or simply not positioned the "other" email
+ password sign in screen straight after the "real" email + password sign in
screen, we wouldn't be having this discussion.

The most damning part is that's not even what they're being sued for - they're
being sued for _another_ way they scammed their way into people's email
accounts.

------
TheSwordsman
LinkedIn is the primary reason I'm cautious to link my different services to
something external (facebook, twitter, etc.). Even those I'm a bit more lax on
compared to my email.

Nothing, but me and my devices, should ever have a reason to access my email.
If someone or something is trying to access my email, even with explicit
permission, there's no way they can be up to anything good.

The activities that originate from LinkedIn touching your email account is
definitely sketchy at best, and definitely spam. There doesn't seem to be a
good way to stop unwanted emails going to a single address.

Hell, I've found that even getting them to stop sending you emails regarding
your account / groups you joined doesn't always work. Speaking to their
support department ends in a response with something like "our engineers are
aware" with no change in behavior.

Half of me wants to just get rid of LinkedIn, the other half of me likes
seeing old acquaintances getting promotions/moving on to greener pastures.

===

Dear LinkedIn,

Please stop being scummy...we'd all appreciate it.

Cheers!

-Everyone from the Internet

~~~
bostik
> _LinkedIn is the primary reason I 'm cautious to link my different services
> to something external_

I've gone further. I routinely create email aliases for any new services I may
need to use. (Yes, I have one dedicated to HN too.) That gives me quite a few
nice features:

1) My email addresses are not generally cross-service

2) It's somewhat harder to consolidate my data even when the addresses are
"leaked" (read: sold) from one service to another

3) I see with absolute clarity which service my email address was siphoned
from.

4) I can trivially delete the address. It's just a line in /etc/aliases.

For #3, I haven't done any accurate measurements but it seems that an address
finds its way to spammer lists about as often through the service selling it
as it does from a user of that service inadvertantly placing it on one.

~~~
AhtiK
GMail has a little trick that you can postfix anything to your email address
username separated with a "+". For example my.name+linkedin@gmail.com.

Later this +postfix makes it easier to find out which source is the leak.

Most of the websites let you sign up with "+" in your e-mail but unfortunately
not every site.

The other trick is that GMail ignores "." in email user so my.name can be just
as well "myname". Not that it helps with the spam, just a sidenote.

~~~
bostik
Yep, the '+' as a separator is one of the many Postfix features.

However, the problem with using the "account+identifier" is that the
identifier is simply ignored when delivering mail. With a real alias I can
actually _revoke_ an email address, by simply removing it from the aliases.
With an identifier I would have to explicitly _reject_ mails for a given
recipient part.

I prefer to keep things simple. Bouncing spam is a bonus.

~~~
malandrew
Check out gam [0]

    
    
        gam create alias idontwearseatbelts user crashtestdummy
    

The only problem with aliases is that it completely breaks using email as a
unique id to link you with people. You basically fix spam but lose the "people
you may know" feature on social sites where you actually care about knowing
who you may know on it (i.e. not linkedin).

[0] [https://code.google.com/p/google-apps-
manager/wiki/GettingSt...](https://code.google.com/p/google-apps-
manager/wiki/GettingStarted#Step_5:_More_simple_GAM_commands)

------
eonil
LinkedIn has tried phishing people to take email account using username(so the
email address)/password entered when login.

I really scared on it when I discovered it. I could avoid this because I was
using different password for mail account, anyway I think many people gave
their email account to LinkedIn silently.

And now they are finally getting punished.

~~~
krstck
I had always purposefully avoided giving LinkedIn my email password, but when
I just clicked the link to remove contacts given upthread, somehow LinkedIn
magically had all of my email contacts. So, I gave it to them at some point. I
am really displeased.

~~~
eonil
I recommend to participate on lawsuit if you're on america... You may get a
lot of rewards.

------
yeukhon
thank god someone took this step. LinkedIn. I will never work for you. I don't
like your service. One time I chose to only send invite to several friends.
Instead, Linkedin sent out invites to every single person on my gmail contact
list, some are public mailing list and it was embarrassing. Linus way: FU
LinkedIn. Your UI sucks.

------
Renaud
I really do not understand how LinkedIn is still in business after all the
crap they have pulled over time: they have been trampling on their users for
years.

Is everyone so cheap that they wouldn't pay for a professional that would not
have to resort to these fishy and downright scammy (scummy) tactics?

What does it say about the value of your professional life when all you can
afford to further it is to give that much power to an organisation whose sole
incentive is to make money off your back by whatever means necessary?

~~~
r0h1n
Maybe because most professionals think the costs outweigh the benefits, and
because there are no suitable alternatives?

LinkedIn's value also seems to become dearer the higher up you go in
organizational hierarchies. And their canny strategies to hook more of the
C-suite (e.g. 'Influencer Posts') seem to be working quite well. I see
superbly shitty posts like Vivek Wadhwa's "Facebook is Doomed"
([https://news.ycombinator.com/item?id=6424292](https://news.ycombinator.com/item?id=6424292))
doing great on the 'LinkedIn Today' home page for days [Edit: Just checked.
It's been on my home page for 4 days now!]. Thus proving that the mediocrity
(which tends to be rise to the top in large organizations) is truly
flourishing at the top of LinkedIn's food chain :)

------
brador
> which allows the company to slurp up the contacts list of the third-party
> e-mail account with which the member signed up, if the member is logged into
> that e-mail account in the same browser.

Is this a thing? Can any website slurp my contacts if i have hotmail or gmail
open in the same browser? How are they doing this?

~~~
nwh
They can't unless there's a vulnerability in Gmail that they're exploiting,
and that wouldn't go down at all well.

------
gurkendoktor
The saddest announcement about OS X 10.9 was that Apple will add LinkedIn
support. No one should support a cheap scam company like them, much less bake
them into the operating system :(

------
Fourplealis
There was discussion about this day ago:
[https://news.ycombinator.com/item?id=6421742](https://news.ycombinator.com/item?id=6421742)

------
mswe
I deleted my account but it's not even deleted. Hope other lawyers take on
them and sue the hell out of them. HATE LINKEDIN!

~~~
90002
Agreed. LI has become far too intrusive as of late, and I really hate that
some folks in different industries, specifically tech, value this as the end-
all, be-all. If I have to miss out on certain opportunities due to my lack
visibility on LNKD, then so be it. Just not a fan of what they're doing over
there-at all.

------
jval
I would presume that their acquisition of Rapportive plays some part in their
use of emails and recommendations.

I know for a fact I have never given them access to my email accounts but they
have started surfacing 'people you may know' recommendations that are actually
email addresses from my contact book where I have Rapportive installed.

------
scarmig
Does anyone have any alternatives to LinkedIn? I think it plays a function
that's useful, particularly the floating, easily discoverable resumes you can
point people at plus recommendations. But the cons just drastically reduce its
overall value well below zero.

The resume aspect is easy enough to host yourself, and the searchability is
not clearly an overall pro anyways: I really don't want to be harassed by
random recruiters who found me using a keyword search.

But would it be weird to host your recommendations of others on your own site?
I.e. include a link to some canonical representation of their identity and
vouch for them? That may be getting into the weird territory. And what about
hosting their recommendations of you? That seems well into the weird
territory.

Maybe the best thing that LinkedIn offers is a willingly creepy networking
site that gives you an excuse to ignore social norms.

~~~
anaphor
[http://careers.stackoverflow.com/](http://careers.stackoverflow.com/)

~~~
dreen
This. My LinkedIn profile contains only thing:

"To see my current online profile, please visit [http://..."](http://...")
(link to careers.so)

I lost my first job after uni three months ago and started looking. People
told me I'm severely limiting my chances by not having a full LinkedIn
profile. They were wrong, I found an amazing job and the bulk of interview
offers came from people seeing my SO, C.SO or GitHub profiles.

C.SO doesnt have all the meaningless social bullshit, also top companies and
recruiters pay a lot of money to just use their search engine.

Also, all LinkedIn mail gets redirected to the bin.

------
celticjames
Gmail has a feature that lets you see what IP addresses you have logged on
from. (Look for the little link at the bottom right.) Would LinkedIn's IP show
up there if they are using your google password? Has anyone ever seen this
behaviour?

------
Paul_S
Any person who used their company email to sign up to linkedin and then leaked
the password by giving it to linkedin should be sued by the company that
employs them for negligence. They are the same people who re-use their
passwords and write them on post-it notes.

Frankly I have no sympathy for them at all. As you can probably tell.

~~~
dpatrick86
So, you're saying you want the majority of the working population to be sued
by their employing company which itself is made up of people that by and large
are guilty of the exact same behavior?

It has become abundantly clear this is a pet peeve of yours!

~~~
Paul_S
Sorry, I am probably overreacting. It does annoy me every time people complain
about security or privacy when they themselves hold those two in the lowest
regard possibly crossing over to contempt. And in some cases those people know
what they are doing is lazy and wrong and do it anyway. I start looking for
the bottle just thinking about it.

------
anodari
Surely they use deceptive techniques to try to broaden the base. I would not
doubt they improperly accessing the email accounts when someone uses the same
password to register.

------
livestyle
It's just Growth Hacking, nothing to see here.

------
nwzpaperman
LinkedIn is great if you need more emails in your inbox to boost your self-
importance quotient, but I haven't heard of anyone in my sphere that was
discovered and hired due to LI.

It seems all of the technology companies are givin their best effort to
invading privacy and undermining trust on a societal level. There will be
lasting consequences for these behaviors.

~~~
pinaceae
really depends on your job profile. it is a big factor in consulting and
similar jobs. very job mobile crowd, hard to keep track where they are right
now - linkedin makes it easy.

self updating rolodex for people that change employers frequently.

