Hacker Newsnew | comments | show | ask | jobs | submit login
LinkedIn sued by users who say it hacked their e-mail accounts (arstechnica.com)
213 points by shawndumas 675 days ago | 106 comments



I deleted my LinkedIn account some time back, but I still get email like this (copy from actual email, not paraphrased)

Subject: [Freind]'s invitation is awaiting your response

Body: [Friend] would like to connect on LinkedIn. How would you like to respond?

[Photo of friend] Confirm you know [Friend]

... and ...

Subject: Invitation to connect on LinkedIn

Body: [Photo of friend]

[Me],

I'd like to include you in my network to share updates and stay in touch.

- [Friend]

All emails sent from friend's email account, not LinkedIn. I've confirmed with friend that they were completely unaware of this and were quite embarrassed.

Not cool, LinkedIn, and most definitely dishonest.

-----


Creating a LinkedIn account was by far the creepiest thing I've ever experienced when signing up.

I signed up using email address A, and when I signed in I saw suggestions for "people you may know", but it included people I had only every corresponded with via email address B (bear with me here, it gets more interesting...). It wasn't even people any of my contacts know. From what I can tell people I had corresponded with using email address B (which incidentally doesn't even have a real name associated with it) had given their password to LinkedIn (probably via 'find people you know' or whatever). It seems that LinkedIn went through my friends' gmail contacts and one or more of my friends had probably annotated me in their contact list with my actual name. LinkedIn then associated my name with email address B. From that LinkedIn combined it with more info from people who gave them their gmail address and password who I'd only ever corresponded with a few times anonymously via my unnamed address (B, which LinkedIn has now linked with my name).

Net result is "people you may know" including people I had only corresponded with anonymously via email address B with full details of their name and place of work etc. What makes it creepy I used email address B when I tried online dating a few years ago. I used email address B to first get to know people before deciding whether to give them more info about me etc. Now LinkedIn has kindly provided me with the full name and place of employment of the women I chatted to via "people you may know" (I recognised their photos from the dating site from a few years ago) and vice versa (yikes! a great way to wind up getting stalked). The only link between me and "people you may know" is that I corresponded with them via an email address not even associated with my LinkedIn account, and none of my friends or contacts is in any way associated with them. If that isn't creepy I don't know what is.

-----


Probably you already had an account, called a shadow account -- when signing up, you merely asked for your password for a limited access login.

So the primary form of collection that should concern us most is media that spy on us while we use them. Books that watch us read them, music that’s listen to us listen to it. Search boxes that report what we are searching for to whoever is searching for us and doesn’t know us yet.

There is a lot of talk about data coming out of facebook: is it coming to me? is it coming to him? is it coming to them? They want you to think that the threat is data coming out. You should know that the threat is code going in.

For the last 50 years what has been happening in enterprise computing, is the addition of that layer of analytic on top of the datawarehouse that mostly goes in enterprise computing by the name of "business intelligence". what it means is you’ve been building this vast datawarehouses in your company for decade or 2 now you have only information about your own operations your suppliers your competitors, your customers now you want to make that data start to do tricks. By adding it to all the open source data out there in the world, and using it to tell you the answers to questions you didn’t know you had. That’s business intelligence.

The real threat of facebook is the BI layer on top of facebook warehouse. The facebook datewarehouse contains the behavior not just the thinking but also the behavior or somewhere nearing a billion people. The business intelligence layer on top of it which is just all that code they get to run covered by the terms of service that say "they can run any code they want for improvement of the experience". The business intelligence on top of facebook is where every intelligence service of the world wants to go.

Imagine that you are a tiny little secret police organisation in some not very important country. Let’s put ourselves in their position Let’s call them I don’t know what, you know ... "kirghista".

You are a secret police you are in the "people business" secret policing is "people business". You have classes of people that you want you want agents, you want sources you have adversaries, and you have influencables, that is people you torture who are related to adversaries wives, husbands, fathers, daughter you know those people.

So you are looking for classes of people. You don’t know their names, but you know what they are like you know who is recrutable for you as an agent you know who are likely sources, you can give the social characteristics of your adversaries, and once you know your adversaries, you can find the influencables.

So what you want to do is run code inside facebook. It will help you find the people that you want it will show you the people whose behavior and whose social circles tell you that they are what you want by way of agent, sources what their adversaries are and who you can torture to get to them.

So you don’t want data out of facebook the day you have data out of facebook it is dead. You want to put code into facebook and run it there and get the results you want to cooperate.

http://benjamin.sonntag.fr/Moglen-at-Re-Publica-Freedom-of-t...

-----


I think that you just have to assume that every internet interaction you have with any service is tracked, indexed, cross-referenced, and then bought and sold. Possibly as aggregated data, but likely traceable to you if someone were so inclined. To think otherwise is just to believe that somehow human nature has changed. Scott McNealy was right, "You have zero privacy anyway. Get over it."

-----


Same. Cancelled my account a year ago, still getting those emails. The worst part? Actually considering getting a new account, as I've been told by multiple people not having a LinkedIn account is 'suspicious' and that it's costing me job opportunities. Genuinely wishing someone would make a (less evil) LinkedIn-killer. At least for the tech world. Was hoping Stackoverflow Careers would do that, but sadly that hasn't happened.

-----


I haven't had a LinkedIn account in several years and have not had any problems. I guess YMMV.

-----


I've been looking for entry level developer positions as a recent graduate and boy do I hear it repeated so much "Get to me on LinkedIn." "I got my job through LinkedIn". Over and over. I really don't want to create an account either but I suppose I might at some point. Sucks though. Because I get all these e-mails too from people and I've only read somewhat creepy things about LinkedIn.

-----


Why don't you just make a completely empty account with a throwaway email account that tells people not to trust linkedin and pointing them to a place on the web that you control?

-----


that is not exactly perceived well by the average HR/recruiter.

-----


> All emails sent from friend's email account, not LinkedIn.

Are you sure about this? LinkedIn could just be using the friend's email address as the envelope sender; the email would still be coming from LinkedIn's mail server network.

I'd really love to see the headers of one of these messages.

-----


I think you're correct. Here's the full headers for one of the emails with some added line-breaks to make reading easier. I hope I've redacted enough (someone please tell me if there's stuff here that shoudln't be public)

Delivered-To: [me]

Received: by 10.216.15.83 with SMTP id e61csp34535wee; Sun, 4 Aug 2013 04:14:33 -0700 (PDT)

Received: from maile-fd.linkedin.com (maile-fd.linkedin.com. [199.101.162.92]) by mx.google.com with ESMTP id ck10si13864843pad.187.2013.08.04.04.14.31 for <[me]>; Sun, 04 Aug 2013 04:14:32 -0700 (PDT)

X-Received: by 10.68.135.162 with SMTP id pt2mr17184363pbb.42.1375614872583; Sun, 04 Aug 2013 04:14:32 -0700 (PDT)

Return-Path: <s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw@bounce.linkedin.com>

Received-Spf: pass (google.com: domain of s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw@bounce.linkedin.com designates 199.101.162.92 as permitted sender) client-ip=199.101.162.92;

Authentication-Results: mx.google.com; spf=pass (google.com: domain of s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw@bounce.linkedin.com designates 199.101.162.92 as permitted sender) smtp.mail=s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw@bounce.linkedin.com; dkim=pass header.i=@linkedin.com

Domainkey-Signature: q=dns; a=rsa-sha1; c=nofws; s=prod; d=linkedin.com; h=DKIM-Signature:Sender:Date:From:To:Message-ID:Subject:MIME-

Version:Content-Type:X-LinkedIn-Template:X-LinkedIn-Class:X-LinkedIn-fbl; b=q1KRuTf4aDEOi5VREcMRO4Doq6XyksTGxJVZMaRGMds1RAi/nevXn8l1yGjBp3ed bSZCOz8kdSYBSnp8/gVqQ0UxpsSpQsAaZFrz1yvWjphpr7/DJKaD7Ap6sSUofZ13

Dkim-Signature: v=1; a=rsa-sha1; d=linkedin.com; s=proddkim1024; c=relaxed/relaxed; q=dns/txt; i=@linkedin.com; t=1375614871; h=From:Subject:Date:To:MIME-Version:Content-Type:X-LinkedIn-Class:X-LinkedIn-fbl: X-LinkedIn-Template; bh=+IqpICLV7N0HAZ46nQfd4mjluOA=; b=dh0hTwqcAoV966RGjsPQexTPDRGSX7o0W9IXG6sWZeDO55b4Xo8Z5riP6dRkYtbu /OO5DxfX1/8F8NHDoxK+3KR+YREUY/r0soM2EySz3S8yWd0CkVWMfpxhzRJzDTap zk0xKG+Oz3Y3jNFg+IQtv/R4uPXo83Cn1OetkC6jKfo=;

Sender: messages-noreply@bounce.linkedin.com

Message-Id: <973325106.76554970.1375614871646.JavaMail.app@ela4-app0128.prod>

Mime-Version: 1.0

Content-Type: multipart/alternative; boundary="----=_Part_76554966_2133229866.1375614871641"

X-Linkedin-Template: invite_guest_59

X-Linkedin-Class: INVITE-GUEST

X-Linkedin-Fbl: s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw

-----


Yeah, looks like that's coming from LinkedIn's network. They're probably just setting the From: header to your friend's email address -- which is what will then show up in most email clients as the sender -- and then using the Sender: header to pass SPF.

A little sneaky on their part, but nothing too surprising.

I didn't spot any personal / identifiable information in the headers, you should be OK.

-----


A little sneaky? I'm confident you will find a judge out there that considers this wire fraud.

And any email provider should obviously immediately blacklist them. Worse than spam.

-----


> I'm confident you will find a judge out there that considers this wire fraud.

Eek, I hope not. That would make me and anyone else who's ever written a form-mailer or similar with "-faddress@net.com" or "From: address@net.com" guilty of wire fraud.

> And any email provider should obviously immediately blacklist them. Worse than spam.

I'm a mail provider. I'd like to, but the reality is that a lot of people are on LinkedIn on purpose, and it would be wrong for me to blackhole them just because I don't like them. Fortunately, anybody on my mail system that doesn't like LinkedIn can easily adjust their own SpamAssassin settings right from the webmail interface.

-----


Worse than spam, maybe, but I hope the defense would be able to make a compelling case that using the specification as designed doesn't constitute wire fraud...

This wouldn't be terribly different from (not that I know an example) me sending a letter to friend A and putting friend B as the return address, sending a letter by proxy. Of course in that case, there isn't even a method to see who actually sent the letter, whereas the information on who sent the email is still contained in the email.

-----


I made the mistake of authorizing LinkedIn to fetch contacts from my Gmail account ages ago - atleast 4-5 years back. If you are like me, here is a link to delete the contacts that you have not explicitly added on LinkedIn:

http://www.linkedin.com/people/contacts?sortAction=lastName&...

I had to raise a support ticket to find this link.

-----


Wow. LinkedIn sure made sure that's difficult.

You have to go through every damn letter of the alphabet, and click like 4 different buttons, and wait for 2 page refreshes for each letter. Half the time it doesn't work and you have to refresh the page and try again.

I've gotten through "L" and now their server is giving me errors.

-----


Thank you for this link... I didn't know linkedin had ALL my contacts. And I don't remember linking it to my gmail account at all! Removed all (530) of them manually. (selecting all give an error).

-----


Does that link actually work for you? Mine just spins and spins.

-----


Linked in is the only social network that's managed to link me to other people in ways i cannot explain.

An example: I had a real life connection to a trainer, i studied for an industry qualification with him. I had zero online line connections to him. Somehow linked in put us together.

His profile mentioned nothing about taking that course, mine mentioned nothing about attending his course. My work handled all the procurement side of things so he had no access to my email address or anything like that.

In credit to linked in, this guy happened to be the best trainer i'd ever studied with so i was actually pleased to see the recommendation. Still wondered how they managed it though!

-----


perhaps via uploaded phone contacts?

-----


Yeah; I recently had a friend "accept [my] invitation" to join LinkedIn.

Except I have never sent any LinkedIn invitations ever, nor connected LinkedIn to my GMail account.

Not only is LinkedIn forging e-mails and deep-mining connections, they're moronic enough to treat those forged e-mails as organic.

Incompetence vs. malice… why choose?

-----


Are you sure it was sent through your friend's email servers, or did they just address the From: field as coming from his email address? Check the headers to be sure.

-----


I abstain from LinkedIn deliberately and I can confirm that I am sick from their spam.

Every time a friend joins their network, I get tons of “invitations to connect”, despite the fact that I have “unsubscribed” from their spam-list (to which I never subscribed in the first place) enough times.

Real professionals should not need spammy social networks to prove themselves.

-----


> Real professionals should not need spammy social networks to prove themselves.

Yup. As far as I can tell/am concerned, the old fashioned 'meatspace'-networking method never stopped working.

I get recruiter spammed without them, so even for that they don't seem necessary.

-----


2 options: either give LI a secondary email (5 minutes to create a new gmail/other account for spam), or create filters (label as "linkedin-spam" and move out of inbox). Works like a charm for me.

-----


Hope that remains true. My strategy is a giant github page... And that's kind of it. We'll see how viable that strategy is..

-----


This is somewhat off-topic, but has anyone felt like they are "typecast" into a certain industry or job position by their LinkedIn profiles?

What if you don't want to stay with the same industry for the rest of your life? All your contacts probably already endorsed you for your skills in a that industry. It seems like a situation that increases friction in trying to move between fields, industries, and job positions.

Should you delete your profile? Would it seem weird to potential employers/business relationships that you are missing a LinkedIn profile?

I think this will become a more visible problem in the near future.

-----


In my last round of job-searching, none of my interviewers had looked at my linkedin profile. Most of them hadn't even seen my resume before the interview.

-----


Totally agree with your concerns. There's also another piece to this that I've run into: Deliberately focusing my profile on specific skills increased the number of recruiters that contact me for job opportunities. One might say that this is just marketing on my part, but with LinkedIn, your profile actually functions like a webpage would where you need to optimize the keywords and information for their search engine. By being more focused, you rank higher in searches.

-----


I don't think not having a LinkedIn profile is weird unless, perhaps, you were applying to run my social media campaigns. (And even then, hardly a deal breaker.)

BUT... I don't think you should delete it. I think mastery of one job speaks to the type of person who can master another. The real red flag is people who can't point to any big accomplishments in anything...

-----


How does it harm your future? It's nice to have someone who has multiple skills.

-----


To some people, having multiple skillsets means you're unfocused, because you haven't focused on a single skillset.

-----


And those people aren't worth working for.

-----


Unfortunately, they seem to be the majority.

-----


To be fair, yes, there are these people, but I think the general public wouldn't mind given the technology nature. Even among programmers people tend to claim to have multiple skillsets. When I write my resume / cv I am very conservative. I only mention the one I am confident (and omits ones that I only have a glance or very minimal usage). For example, my first web framework is Django but I don't even put Django in my resume only because I barely do any real Django development.

I think in the long run, I don't really want to believe what people said on LinkedIn. I just don't. We all have those moments where we just want to say Yes to every question LinkedIn ask "Does so and so have this skill?"

-----


The "People You May Know" feature of LinkedIn is downright disturbing. Everyone in my third-party email's Address Book shows up as a person I may know. This includes people without LinkedIn accounts, people who've been dead for years that I never removed, people that I've only ever exchanged a single email with.

I never gave LinkedIn my email creds (I'm astounded that they have the gall to ask for my email password). Also, it is 100% inconceivable to me that all of these people would have given LinkedIn access to their email accounts.

-----


People without LinkedIn accounts? Are you quite certain? I worked at LinkedIn and know exactly how People You May Know used to work (I've looked at the code). Unless they changed something in the last couple years (and given their dev cycle, I doubt it), every single person who it recommends has signed up to LinkedIn. Of course, I heard people make these claims while I worked there too.

Also, it really isn't that hard to guess how it works (hint: are you sure you need every single person to give address books access to build a graph?).

-----


My friends cats (who have email addresses but have never signed up on Linkedin) show up as "People You May Know."

Explain that one.

-----


What an appropriate comment for your username. I'm still trying to figure out what LinkedIn have done to my email, but basically my wife and I are inundated with spam from them. It's non stop. I only signed up to learn more about the person who hit our car and has been slow to pay. It was helpful, but despite opting out of every option I could, somehow its learnt that my wife exists and is nailing us both with spam.

-----


Apply a spam filter...?

-----


I think you should first explain why you're friends with someone who makes an email for their cat ;)

-----


So they can get Facebook pages, duh.

-----


Has your friend signed up to LinkedIn and let them have his or her contacts? What about all your friend's friends who have the cats in their contact lists?

-----


She says no. And the cats don't email anyone.

-----


How does she know? Maybe while she's out the cats email or even signed up for an account with linkedin? She should install a webcam to double check.

-----


Dude the cats hacked all the webcams ages ago. If they don't want you to see it you won't see it.

-----


Cats prefer twitter.

-----


If I click 'see more' under the 'people you may know' list on the homepage, fully half of the eight people above the fold are without LinkedIn accounts. These include family members who I can be certain don't have accounts. I assume clicking 'add to network' (rather than the 'connect' for those who do have accounts) would generate an invitation to join LinkedIn.

-----


It seems to be a recent feature. I recently started seeing my 10 year old cousin's email in the "People You May Know" section, and I'm fairly certain she has never signed up for LinkedIn.

-----


It suggests 'people' by email address that are my own. In the past I used gmail as a Dropbox together with a friend and it always shows name1 + name2 @ gmail.com as someone I might know. I'm pretty sure everyone involved has forgotten the password for that account.

-----


Perhaps you could shed some light on my other post: https://news.ycombinator.com/item?id=6426192

-----


If you are linked to 100 people on your LinkedIn account, and 10 of them have the same set of people in the address book they imported into LinkedIn, it's not hard for LI to figure out you might also know people in that overlapped set, and recommend them. You don't need to import your address book for this to work -- just enough of your connections, who have connections in common with you, need to do it.

-----


Have you ever installed their mobile app?

I doubt they are using anyone's credentials without permission, or "hacking" accounts either, but their mobile apps do have full access to your contact list.

-----


No, I have never installed their mobile app.

-----


It isn't that they are stealing credentials on behalf of users; even today the UI is confusing and too verbose. It's clumsy. It's like reading credit card statements with tiny fonts. I am very caution about what I do on a web service but LinkedIn bit me once. If you happen to did one step wrong (even when you thought you override that decision already), LinkedIn will somehow send invite to everyone. Whatever the step might be or whatever bug there is. Just plain annoying. And this happens to many LinkedIn user on planet earth.

-----


It may not be necessary for all those people to give LinkedIn access to their email address books. Say you're A and you see a suggestion for B. Maybe a mutual friend C uploaded their email address book, which includes both A and B in it, and LinkedIn's PYMK can use the feature "A and B have a mutual email-network-friend", which might be useful.

Given that email address books are really large, only a few of them might give lots of these sorts of second-order connections.

Second order connections on the LinkedIn network could be driving these recommendations too. People's friend-of-friends sets can be really large, like typically tens of thousands if I remember right...

-----


> I never gave LinkedIn my email creds (I'm astounded that they have the gall to ask for my email password)

Well, why not? I've recently given in and created a Google account again; they're doing the same thing. I even had to confirm in a pop-up box that I really don't want to give them access to my emails. (And that I really don't want to follow celebrities on G+.)

I don't know why the EU goes after cookies but not after the practise of asking for email passwords.

-----


LinkedIn is the primary reason I'm cautious to link my different services to something external (facebook, twitter, etc.). Even those I'm a bit more lax on compared to my email.

Nothing, but me and my devices, should ever have a reason to access my email. If someone or something is trying to access my email, even with explicit permission, there's no way they can be up to anything good.

The activities that originate from LinkedIn touching your email account is definitely sketchy at best, and definitely spam. There doesn't seem to be a good way to stop unwanted emails going to a single address.

Hell, I've found that even getting them to stop sending you emails regarding your account / groups you joined doesn't always work. Speaking to their support department ends in a response with something like "our engineers are aware" with no change in behavior.

Half of me wants to just get rid of LinkedIn, the other half of me likes seeing old acquaintances getting promotions/moving on to greener pastures.

===

Dear LinkedIn,

Please stop being scummy...we'd all appreciate it.

Cheers!

-Everyone from the Internet

-----


> LinkedIn is the primary reason I'm cautious to link my different services to something external

I've gone further. I routinely create email aliases for any new services I may need to use. (Yes, I have one dedicated to HN too.) That gives me quite a few nice features:

1) My email addresses are not generally cross-service

2) It's somewhat harder to consolidate my data even when the addresses are "leaked" (read: sold) from one service to another

3) I see with absolute clarity which service my email address was siphoned from.

4) I can trivially delete the address. It's just a line in /etc/aliases.

For #3, I haven't done any accurate measurements but it seems that an address finds its way to spammer lists about as often through the service selling it as it does from a user of that service inadvertantly placing it on one.

-----


GMail has a little trick that you can postfix anything to your email address username separated with a "+". For example my.name+linkedin@gmail.com.

Later this +postfix makes it easier to find out which source is the leak.

Most of the websites let you sign up with "+" in your e-mail but unfortunately not every site.

The other trick is that GMail ignores "." in email user so my.name can be just as well "myname". Not that it helps with the spam, just a sidenote.

-----


Yep, the '+' as a separator is one of the many Postfix features.

However, the problem with using the "account+identifier" is that the identifier is simply ignored when delivering mail. With a real alias I can actually revoke an email address, by simply removing it from the aliases. With an identifier I would have to explicitly reject mails for a given recipient part.

I prefer to keep things simple. Bouncing spam is a bonus.

-----


Check out gam [0]

    gam create alias idontwearseatbelts user crashtestdummy
The only problem with aliases is that it completely breaks using email as a unique id to link you with people. You basically fix spam but lose the "people you may know" feature on social sites where you actually care about knowing who you may know on it (i.e. not linkedin).

[0] https://code.google.com/p/google-apps-manager/wiki/GettingSt...

-----


Explicitly reject / add a 'move to spam folder' filter, but yeah. And some places I've given +names have sent to my un-suffixed address (I mostly suspect bad email sanitizing / filtering due to Hanlon's Razor, but ya never know).

-----


Problem is that it's trivial for these services to collapse the emails into a single one for merging purposes. I doubt many do though..

-----


I used to think people were just being ignorant, and that if they had read the screen they would've known to not give out their passwords.

Then I got a LinkedIn account and almost got tricked into typing my credentials... it was only when the Google authorization screen came up that I realized what had happened.

-----


Then I got a LinkedIn account and almost got tricked into typing my credentials

More detail needed here. how did they almost trick you? what did they say or what did they display that made you think it was something different.

surely when you were entering the details, it was still clear you were on linkedin's website? No? (this is a genuine question.. I don't have a linkedin account)

-----


Right after you log in, they display a page that looks almost exactly like a login page asking for your email address and password.

I didn't read the page -- I assumed it was either a "verify your email" or "authentication failed" page of some sort, so I entered my Gmail email address and password. (No, I didn't enter my Gmail password. Read below.)

There is REALLY easy-to-miss "skip" link (I forget the exact text) on the page, but the page looks so much like a login window or "verify your address" window or some other window like that that you don't realize it (and think the "skip" link is probably saying something typical like "Forgot your password?"), so you go ahead and type your credentials -- even though you've already logged in.

The only thing that saved me was the fact that Google asked me if I wanted to "Allow Access" or not, and that made my heart skip a beat and I finally realized what had happened. Thanks Google.

The scary part is that you DON'T have to type in your Google password for this to work! In fact, I typed in my LinkedIn password (I'm not quite stupid enough to type in my Google password on LinkedIn's website) -- but Google still popped up a window asking me for permission, because I was already logged into Google and it didn't even bother checking my password.

So LinkedIn almost got my permission without me ever entering my Gmail password... I almost granted access (thinking it might have been an OpenID thing) before I came to my senses and thought, WTF just happened right now?! Hell no!

-----


I fell for this scam a couple of years ago. I was hastily signing up for LinkedIn, and figured that the page was asking me for my LinkedIn credentials again. Lo and behold, it mined all my Gmail data.

It was partially my fault, because I used the same password for my Gmail account as I did for my LinkedIn account. Never again.

-----


I guess it wouldn't have mattered much if you'd had different passwords anyway, since the same thing would've happened to you as what happened to me (unless things were different two years ago).

-----


Can you (or anyone) post screenshots of the login and email pages?

-----


Here's some. I didn't take the screenshots, so I don't remember if these are exactly the same screens as I saw. However, they look quite similar to what I saw and illustrate my point -- compare:

http://pamlawhorne.com/wp-content/uploads/2011/09/3-connect-...

http://help.webscribble.com/download/attachments/1442111/Unt...

http://homebizideas4u.com/wp-content/uploads/2-upload-mail-c...

-----


I didn't read the page -- I assumed

This is really the heart of it isn't it? Even if LinkedIn has text in a 40pt font that says, "Import your address book, we're going to log into your email account and download your contacts so that we can link you with them and here is exactly what we're going to do with them," you probably still wouldn't have read it.

-----


LinkedIn went significantly out of their way to position and format that page to phish people. I used to fall for it periodically because I just assumed I'd been signed out and my linkedin credentials were pre-filled in waiting to fail to gain access to my email fortunately. That is the heart of it.

If they'd put a 40pt font message, or simply not positioned the "other" email + password sign in screen straight after the "real" email + password sign in screen, we wouldn't be having this discussion.

The most damning part is that's not even what they're being sued for - they're being sued for another way they scammed their way into people's email accounts.

-----


> This is really the heart of it isn't it?

It might be a good time for you to pick up the dictionary and look up what "deception" or "misleading" means.

> even if [...] you probably still wouldn't have read it.

Wow, so you've read a few words of my writing and you already know me so well, so much better than myself? Well, even if you look those words up in the dictionary, you still probably won't understand what they mean.

(And FYI, no, I would have read it if it didn't look like another of the same login page.)

-----


Let's not pretend this is not a UI dark pattern.

-----


They display a prompt asking for a username and password. It is easy to think that it is asking the person to log into the site. If somebody uses the same password for their email and LinkedIn, it can trick that person into giving LinkedIn permission to read their email.

-----


OK so they're using phishing techniques. Definitely cracking if that's the case. Arguably the entire site is one big phishing scam.

-----


This happened to me. I'm not an idiot, I always intended to specifically avoid giving them my email credentials. I just discovered that I had indeed done it at some point. This is grounds for me terminating my account with them.

-----


LinkedIn has tried phishing people to take email account using username(so the email address)/password entered when login.

I really scared on it when I discovered it. I could avoid this because I was using different password for mail account, anyway I think many people gave their email account to LinkedIn silently.

And now they are finally getting punished.

-----


I had always purposefully avoided giving LinkedIn my email password, but when I just clicked the link to remove contacts given upthread, somehow LinkedIn magically had all of my email contacts. So, I gave it to them at some point. I am really displeased.

-----


I recommend to participate on lawsuit if you're on america... You may get a lot of rewards.

-----


I really do not understand how LinkedIn is still in business after all the crap they have pulled over time: they have been trampling on their users for years.

Is everyone so cheap that they wouldn't pay for a professional that would not have to resort to these fishy and downright scammy (scummy) tactics?

What does it say about the value of your professional life when all you can afford to further it is to give that much power to an organisation whose sole incentive is to make money off your back by whatever means necessary?

-----


Maybe because most professionals think the costs outweigh the benefits, and because there are no suitable alternatives?

LinkedIn's value also seems to become dearer the higher up you go in organizational hierarchies. And their canny strategies to hook more of the C-suite (e.g. 'Influencer Posts') seem to be working quite well. I see superbly shitty posts like Vivek Wadhwa's "Facebook is Doomed" (https://news.ycombinator.com/item?id=6424292) doing great on the 'LinkedIn Today' home page for days [Edit: Just checked. It's been on my home page for 4 days now!]. Thus proving that the mediocrity (which tends to be rise to the top in large organizations) is truly flourishing at the top of LinkedIn's food chain :)

-----


> which allows the company to slurp up the contacts list of the third-party e-mail account with which the member signed up, if the member is logged into that e-mail account in the same browser.

Is this a thing? Can any website slurp my contacts if i have hotmail or gmail open in the same browser? How are they doing this?

-----


They can't unless there's a vulnerability in Gmail that they're exploiting, and that wouldn't go down at all well.

-----


The saddest announcement about OS X 10.9 was that Apple will add LinkedIn support. No one should support a cheap scam company like them, much less bake them into the operating system :(

-----


There was discussion about this day ago: https://news.ycombinator.com/item?id=6421742

-----


I would presume that their acquisition of Rapportive plays some part in their use of emails and recommendations.

I know for a fact I have never given them access to my email accounts but they have started surfacing 'people you may know' recommendations that are actually email addresses from my contact book where I have Rapportive installed.

-----


I deleted my account but it's not even deleted. Hope other lawyers take on them and sue the hell out of them. HATE LINKEDIN!

-----


Agreed. LI has become far too intrusive as of late, and I really hate that some folks in different industries, specifically tech, value this as the end-all, be-all. If I have to miss out on certain opportunities due to my lack visibility on LNKD, then so be it. Just not a fan of what they're doing over there-at all.

-----


Does anyone have any alternatives to LinkedIn? I think it plays a function that's useful, particularly the floating, easily discoverable resumes you can point people at plus recommendations. But the cons just drastically reduce its overall value well below zero.

The resume aspect is easy enough to host yourself, and the searchability is not clearly an overall pro anyways: I really don't want to be harassed by random recruiters who found me using a keyword search.

But would it be weird to host your recommendations of others on your own site? I.e. include a link to some canonical representation of their identity and vouch for them? That may be getting into the weird territory. And what about hosting their recommendations of you? That seems well into the weird territory.

Maybe the best thing that LinkedIn offers is a willingly creepy networking site that gives you an excuse to ignore social norms.

-----


http://careers.stackoverflow.com/

-----


This. My LinkedIn profile contains only thing:

"To see my current online profile, please visit http://..." (link to careers.so)

I lost my first job after uni three months ago and started looking. People told me I'm severely limiting my chances by not having a full LinkedIn profile. They were wrong, I found an amazing job and the bulk of interview offers came from people seeing my SO, C.SO or GitHub profiles.

C.SO doesnt have all the meaningless social bullshit, also top companies and recruiters pay a lot of money to just use their search engine.

Also, all LinkedIn mail gets redirected to the bin.

-----


How is it weird to get recommendations from other people? That's pretty normal. Posting them on a website might seem unusual for individuals but companies do it all the time.

-----


It's the posting on a personal website that sets off my awkwardness meter. I think recommendations in general, though, are quite useful.

-----


What you're describing reminds me of the never-launched social network Diaspora, but for business. Would someone be interested in trying to launch a Diaspora-nee-Linkedin?

-----


Gmail has a feature that lets you see what IP addresses you have logged on from. (Look for the little link at the bottom right.) Would LinkedIn's IP show up there if they are using your google password? Has anyone ever seen this behaviour?

-----


Any person who used their company email to sign up to linkedin and then leaked the password by giving it to linkedin should be sued by the company that employs them for negligence. They are the same people who re-use their passwords and write them on post-it notes.

Frankly I have no sympathy for them at all. As you can probably tell.

-----


So, you're saying you want the majority of the working population to be sued by their employing company which itself is made up of people that by and large are guilty of the exact same behavior?

It has become abundantly clear this is a pet peeve of yours!

-----


Sorry, I am probably overreacting. It does annoy me every time people complain about security or privacy when they themselves hold those two in the lowest regard possibly crossing over to contempt. And in some cases those people know what they are doing is lazy and wrong and do it anyway. I start looking for the bottle just thinking about it.

-----


Surely they use deceptive techniques to try to broaden the base. I would not doubt they improperly accessing the email accounts when someone uses the same password to register.

-----


thank god someone took this step. LinkedIn. I will never work for you. I don't like your service. One time I chose to only send invite to several friends. Instead, Linkedin sent out invites to every single person on my gmail contact list, some are public mailing list and it was embarrassing. Linus way: FU LinkedIn. Your UI sucks.

-----


It's just Growth Hacking, nothing to see here.

-----


LinkedIn is great if you need more emails in your inbox to boost your self-importance quotient, but I haven't heard of anyone in my sphere that was discovered and hired due to LI.

It seems all of the technology companies are givin their best effort to invading privacy and undermining trust on a societal level. There will be lasting consequences for these behaviors.

-----


really depends on your job profile. it is a big factor in consulting and similar jobs. very job mobile crowd, hard to keep track where they are right now - linkedin makes it easy.

self updating rolodex for people that change employers frequently.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: