

LinkedIn Customers Allege Company Hacked E-Mail Addresses - Fourplealis
http://www.bloomberg.com/news/2013-09-20/linkedin-customers-say-company-hacked-their-e-mail-address-books.html

======
dror
Here's how they do it. Various times Linkedin provides me with a form to
"import" my contacts from my gmail account.

This dialog looks very similar to the login form to the site. If you use the
same password for both sites (I don't), you might be thinking that you're
logging in, when in fact you're bringing in everyone in your address book. Not
sure, if they then automatically spam everyone on your list or not.

Linkedin clearly has crossed over to the dark side since they went public.
They keep reducing their free services and pushing harder and harder to try to
get you to sign up for "premium" accounts. It's time for an alternative.

~~~
yorak
Also, I recently found out that Android app from Linkedin extracts your gmail
contacts. From what I could gather, you cannot opt-out. I was quite annoyed by
this. I also see this a more probable explanation to contact harvesting than
hacking to email accounts.

~~~
tedunangst
Do you know this because installing the app requested permission? The android
security model is all or nothing, up front. If anyone ever would want the app
to access their contacts, the app is required to demand that permission from
every user at installation.

------
tedunangst
“LinkedIn pretends to be that user and downloads the e-mail addresses
contained anywhere in that account to LinkedIn’s servers,” they said.
“LinkedIn is able to download these addresses without requesting the password
for the external e-mail accounts or obtaining users’ consent.”

I am so hoping the case goes to trial so we can see the evidence of this
presented.

~~~
fmax30
This sounds like an outright BS claim. There are two or more scenarios that
may be presented as evidence.

i. LinkedIn used the users current passwords with their external addresses to
access the external emails. ( impossible) ii. Linked in use some sort of
Oauth/google authentication access to information permission thing(can't
remember the name). (highly unlikely)

In any case I think we can only be certain with the actual evidence.

The Customers filing suit should know that LinkedIn is a publicly traded
company and not a scam site.

Because even these claims are outrages if not utter BS.

~~~
kintamanimatt
Why is the first scenario impossible? People re-use passwords all the time.

~~~
AjithAntony
Yeah, don't they just straight up ask for your passwords?
[http://i.imgur.com/ucFx7Kw.png](http://i.imgur.com/ucFx7Kw.png)

~~~
kintamanimatt
There's that, but what I meant was they could combine the user's LinkedIn
password with their email address and most of the time that would be a valid
user/pass combination due to the frequency of password reuse. It's not like
LinkedIn don't have access to the plaintext version of the user's password.
After all, the hashing isn't done on the client but on the server.

------
jmathai
I'm not sure how LinkedIn does it but their "recommendations" are very spooky.

I get some really odd ones like the property manager we pay rent to. I've only
ever emailed or called him.

I presume he gave LinkedIn access to his email contact list but based on the
number of these creepy recommendations a lot of people I email with must do
it.

Even more spooky are the recommendations to connect with people I don't know
but have names that match people I do. Anyone know how they do this?

~~~
uladzislau
LinkedIn does that by cross referencing cookies, contact lists, email
addresses. The same way Facebook does. People just used to expect more
integrity from LinkedIn.

~~~
jmathai
They've been doing this for a while....

------
elleferrer
Here's my 2 cents... maybe they'll settle and walk away with some cash. I too
would love to see the evidence of this presented.

In today's world - individuals' data is the digital goldmine for any company.

LinkedIn is a publicly traded company (LNKD), like any publicly traded company
their main goal would be profits, plus assets like customer data, etc.

This info can be seen in their financial statements: [http://www.sec.gov/cgi-
bin/browse-edgar?action=getcompany&CI...](http://www.sec.gov/cgi-bin/browse-
edgar?action=getcompany&CIK=LNKD)

Nowadays it's common practice for our digital footprints and identities to be
designed/built/directed so that before we can gain access to a company's
services, data or content that we would need to read and agree to the terms &
conditions and the privacy policies, etc.

This info can be seen in LinkedIn's:

Terms and Conditions [http://www.linkedin.com/legal/user-
agreement?trk=hb_ft_usera...](http://www.linkedin.com/legal/user-
agreement?trk=hb_ft_userag)

Privacy Policy [http://www.linkedin.com/legal/user-
agreement?trk=hb_ft_usera...](http://www.linkedin.com/legal/user-
agreement?trk=hb_ft_userag)

Cookie Policy [http://www.linkedin.com/legal/cookie-
policy?trk=hb_ft_cookie](http://www.linkedin.com/legal/cookie-
policy?trk=hb_ft_cookie)

What, you mean I'm supposed to read those things? Yes.

~~~
001sky
Where is the phrase "identity fraud" agreed to? That is more the line that
seems up for debate. Also, LinkedIn forces changes onto otherwise
grandfathered accounts (LFN). If you don't actively delete your page, you
agree to whatever the worst case is under new terms.

------
bowlofpetunias
Here's what may have happened: when you go to LinkedIn, you regularly get
shown a box (inline) inviting you to do something, like endorse people's
skills.

One of those boxes invites you to "grow your network". It's not all that
explicit as a call-to-action, as in the text may just be a slogan. The main
focal point of that box is a login & password form, which looks exactly like
the regular login form that users get when they want to do something that
requires explicit re-authentication.

In other words: it's common to have to enter your login/password on LinkedIn,
this looks a bit like one of those cases, so users will blindly start typing.
If they use the same email/password combo for their email account as for their
LinkedIn account, then they've just given LinkedIn access to that email-
account.

The box itself is quite deliberately misleading. Unlike the regular
invitations to load your addressbook, there are no Google or Yahoo logo's, and
no explicit descriptions.

I don't know whether there is a more explicit request for permission at the
next step before it starts sucking in conctacts, I don't dare entering a valid
password.

If there is a next step that requires explicit confirmation, than this "trap"
(which it quite obviously is) is merely annoying and a bit scummy.

If there isn't, I think they have a good case, because this is would basically
be phishing in reverse.

~~~
obiterdictum
I think it's more likely that LinkedIn mobile app grabs your phone contacts,
if you happen to give it permissions to do so.

I've noticed that the "People you may know" section started to contain
faceless placeholder entries with emails from my address book (though, I'm not
sure if/when I've given the iOS app the address book access).

~~~
christoph
I noticed that recently as well. Some of them actually say "X shared contacts"
below them as well. I know for a fact some of these people are not on
LinkedIn, so it's essentially building up shadow profiles and trying to get
users to "invite" them to the website for them.

------
auctiontheory
Some LinkedIn apps ask for pretty extensive permissions:
[https://news.ycombinator.com/item?id=6014842](https://news.ycombinator.com/item?id=6014842)

------
jka
LinkedIn provided a pop-up window which, in small print, if you had logged in
via Google or Facebook, notified users in legal terms that their e-mail
contacts could (potentially, under some circumstances) be accessed.

Thus, in legal proceedings, the user was entirely informed of the possibility
of this situation arising.

For future users, this sets a precedent that users are aware of the terms and
conditions (as they have always been), and no further accidental leaks of
personal information will occur.

------
dobbsbob
Yet another scummy social media spying site I'm happy to have never signed
up/used for anything. The vast majority of jobs I've found were idling in the
local hack space IRC room with ~300 developers and engineers who dump
openings, joint ventures and paid projects there first before the usual
channels.

------
nwh
Would be pretty easy to test. Make an account with an email address pointed at
a server you own, tail the logs and wait for the inevitable HELO from LinkedIn
with the same credentials. Busted.

