Hacker News new | comments | ask | show | jobs | submit login

LinkedIn screwed me over real good a few weeks back.

They sent me an email saying "There are 108 people you might want to connect with", so I click on view all and it shows a giant list of people with checkmarks by their names. Nice. I uncheck all of them, and scroll through checking a few folks who I want to network with (5 people in total). Click next, it takes me to a screen showing the 5 people and the banner clearly says "Send connection requests to these 5 people?". I click next.

The next screen says "Congratulations, we've sent connection requests to 300 people.". What the flying fuck? Ok, well that's a bummer but oh well, probably just a bug in their system. Then my inbox starts getting spammed with "I'm out of the office right now blah blah blah" from people who I don't even know who they are.

The assholes sent 300 people linkedin connection requests through my own personal gmail account. With zero warning whatsoever. That really pisses me off.

I like LinkedIn, it's a great networking tool, but they really need to stop doing this shit. Something similar happened a few years ago, but they only spammed people in my address book who were already members and the emails were sent by LinkedIn, not through my gmail account.

I've revoked LinkedIn's access to my gmail account. I regret ever enabling it in the first place. I recommend you do the same.

For those who don't know how: https://www.google.com/settings/security (click the view all button next to Apps and Websites).

> The assholes sent 300 people linkedin connection requests through my own personal gmail account. With zero warning whatsoever.

The fact that they requested access to your email account should have been warning enough.

I can't understand why anyone would give any entity access to their email, it's really baffling.

I personally see LinkedIn as horrible, and deleted my account long ago. They don't let you restrict who can view your profile, and they allow people to remain anonymous. For anyone who cares about Privacy, this should be a huge no-no.

I agree, the email access thing is crazy. Both from a feature side and that someone would agree on it.

However, I would claim the fully visible profile is actually a feature.

LinkdedIn is not Facebook. LinkedIn is a professional index, like the yellow pages, with the difference that the minimum inclusion is free.

> LinkdedIn is not Facebook. LinkedIn is a professional index, like the yellow pages,

with the exception that LI is a social network, where the goal is to interact, rate, and comment on different scenarios

I thought LinkedIn has always marketed itself as a professional networking service and thus perceived it as public area open to corporate scrutiny... it's not healthy to mix "social" with "professional" in situtations dealing with corporate employers.

I would argue that it is a professional index dressed up for non-recruiters as a social network.


You have deleted your account and clearly don't find LinkedIn useful.

Are you really surprised that you don't understand why people who do find LinkedIn useful (and there are large numbers) would use it the way they do?

Agreed, it's incredible, and utterly dumbfounding, that people would simply turn over access to their email like that. The only explanation I can imagine is that other (younger?) people just don't take email as seriously.

Yeah right, so OP was asking for it, right?

I wouldn't say that (and didn't.)

Isn't it more likely that they just sent the emails themselves but used his email as the "Reply To" address? A lot of software systems (SalesForce, Hubspot, etc.) do that too.

That would instantly get flagged as spam by virtually everybody if SPF is enabled on his domain. And yes, gmail.com seems to have SPF enabled.

Errm no, a reply-to header is not the same as a sender envelope. Spam filters will flag emails that are faking the sender envelope. Spf is also only checking sender envelope. A reply-to can generally be what ever you want, same for from header... So linked sends email with from and reply-to headers set with your email, but sender envelop is from their server. So email appears to come from you, but was sent from linked in server, which is setup to pass spf test so does not get flagged by spam filter. Check the headers in the emails raw source, and you will see what i mean

When did I ever say anything about reply-to? Please do not put words in my mouth and then speak condescendingly to me. It's extremely irritating.

The post you were commenting on was talking about reply-to... Please practice your reading comprehension.

The post I was commenting on apparently got edited after I replied to it. And your condescension is not at all appreciated.

It appears the parent comment I was replying to got edited after I posted this. Thanks TylerJay for completely changing the meaning of your comment without any notice.

The original commented suggested that they sent the email themselves as if it had come from the user, not merely setting Reply-To.

That would only be true for only some recipients (by far not "everybody") only if Google's SPF record forbade other SMTP servers with -all. It doesn't, it uses ~all soft-fail.

Why? Precisely because of this: there are lots of perfectly legitimate situations when a third party sends email on your behalf.

Moreover, if LinkedIn signs their outgoing emails with DKIM, that would be a positive signal for a spam filter (and e.g. Gmail would show such mail as "sent via LinkedIn" or something to that effect).

Sounds like you know more about this than I do. I will defer to your greater knowledge.

Although "there are lots of perfectly legitimate situations when a third party sends email on your behalf" strikes me as being rather wrong. I cannot think of a single reason why anyone else should be sending email that claims to be coming from my email address. Sending email that lists me as a reply-to, sure. But as the sender? Not a chance.

It's common in enterprise products where the user's first action is in a non-email.

Like I've uploaded version 1 of the plans, added some notes and the system needs to send out an email to everyone, I did the action, it's coming from me, not the system.

There's a reason it's part of the spec.

You did the action, but that does not ever justify sending the email with an envelope claiming it came from you. Because you did not send the email. It could certainly put you as a Reply-To on the email, and it might possibly justify putting your name on the From line, but actually claiming to have been sent from your email address is wrong.

Says you.

However, all the clients says "why does this email come from admin@thibgy.com, I want it to come from my email address, I'm sending it".

This type of wisdom only comes with being burnt and cynical. We shouldn't require that of our users.

Does it? Nobody considers it "cynical" to not give the pizza guy the key to your house.

The pizza boy doesn't ask for your home keys it EVERY TIME he brings you a pizza.

Yet LinkedIn goes far beyond that. LinkedIn is clearly engaging in "dark ui patterns", hoping to trick you into giving those keys (and using them too!) when you are not mindfull.

Yeah, I'm always weary of allowing any app to send emails on my behalf, unless it's something I've put together myself (eg email alerts for internal stuff breaking, etc).

> revoked LinkedIn's access to my gmail account

I honestly don't know what people are thinking while enabling that.

No, Seriously?

I don't understand how Gmail allows it. I assume they've gotten enough complaints about it being abused to prohibit or strictly limit access with at least warnings before actions can be taken.

Because the "old way" was worse.


I believe Facebook was the first site to ask users for their email passwords -- and to great effect, at least on their growth metrics.

ironic that facebook goes after sites that ask for your facebook password.

I tried searching Google for "has facebook ever asked for email account logins and passwords?" and couldn't find any proof. Does anyone have a source for this?

This is what it looked like: http://i.imgur.com/TFQeIBr.png

Whoa, I just looked at the friend finder page and it still does that for some email providers: http://i.imgur.com/bC9xEEM.png

Until now I didn't even actually think such people exist. Especially on HN.

Seems a bit snarky?

I don't think I ever granted them access, but somehow they got a list of random email contacts. So every once in a while I'll get an email that says, "Connect with Joe?" Looks like a normal inbound connection request, but it's actually a trap to get YOU to initiate a request. Awkward for contacts you might accept a request from, but not reach out to.

I suspect the other party gave LinkedIn their address book, and they're trying to maximize the odds of a connection.

This makes total sense. I have also been very careful to not let LinkedIn get access to my email or contacts - precisely cause I don't trust what they will do with that data on my behalf. But they still manage to suggest all these random contacts that look like they're coming from my address book. A few times I have panicked and made sure I hadn't accidentally given them access. But it makes sense that the other side gave them access and they are trying to get a match.

I do like LinkedIn as a professional network. It's helpful when going into meetings, I can check out the people's backgrounds and use that as added context / something to relate with. It's helpful when trying to figure out whether someone could be a good sales/biz dev opportunity based on their background and experience. If I trusted them more, I may consider integrating them more tightly with some of my sales funnel workflows - but for now, I will continue using them as a standalone tool.

LinkedIn had a dark pattern, which they've made slightly less dark recently, of asking you to "log in" by typing in your email address and then your email address password. Of course, you are already logged in to LinkedIn at that point.

The current version shows up when you click "Add Connections" but it used to be much more in-your-face.

Hmm, that's a great point. I've always tried to be careful. I use LinkedIn frankly more than any other social network because it allows me to keep up with my friends' professional lives, not vacation photos or snarky tweets. I haven't found a job through LinkedIn, though have made some connections. I do not trust LinkedIn to do the right thing with my data, and the fact that they're "tricking" users into actions they wouldn't otherwise take just smells like a rat.

Yes, I agree. I never give a site like LinkedIn access to any of my accounts, but I have noticed that it will suggest a connection with someone whom I've ever had one email interaction.

At first, I was bewildered, then I realized it must be because theotherparty granted access to their contacts.

It is deceptive however and tarnishes their brand. Ultimately, however, it's a problem with default free services.

Is it? A lot of free services manage to survive without so-called dark patterns. Frankly, I'd be more likely to pay for a subscription if I trusted them.

Are you using an Android phone? I noticed this too with LinkedIn and it happened immediately after installing LinkedIn on Android. Never happened in previous years while using iOS.

The really messed up part is that the app has basically every permission turned on AND ships with some on-contract phones. So although I had never once opened the app, it was running in the background on an old POS HTC I had. Pretty sure that's where they got every contact ever.

Many, many, people have been burned by this same thing.

I think we need more advertisement of this terrible practice -- and or try to get google to aggressively block their access to do this sort of thing from your gmail, as what it is -- essentially a phishing/malware attack.

I never let them have my email credentials (address, ok, linked account or credentials, no).

But, the thing they do that really bothers me, is to ask people endorse me for things, in a way that suggests I asked to be endorsed for those things. But I didn't. It just found words related to those in my profile. And people who like me or want to be helpful click OK to endorse me for shit that I have nothing to do with. Like ASP.net.

I just don't like that it makes people think I asked to be endorsed. For stuff I don't know and don't do.

GIGO. Which makes me think that the actual functionality/utility in LinkedIn (of which I am not a member) lies elsewhere.

Years ago, recruiting advice was insisting that a LinkedIn profile had become necessary. But even back then, the configuration / data sharing they insisted upon, and worse, the reporting on some of their bad (from my perspective, and also others') behaviour was just too much for me, and I stayed away.

I imagine much of what one gets through LinkedIn is akin to much of what one gets in the rest of the corporate world. A lot of BS, and you left at your own discretion to discern the truth -- such as it is and is reflected in that environment -- amidst all this.

P.S. I'll add that LinkedIn seems to have become a poster child -- albeit a lame-assed corporate one -- for "dark patterns".

Not all entries in your address book are "people" either. Are any of them mailing lists? (Like open source projects or whatnot?) They will get this spam also.

Why the holy flying fuck would anyone give someone they met on the Internet the ability to impersonate them? That's like online safety 101, right after not giving out your home address and vacation schedule.

Especially when that someone already has a bad reputation like linkedin has.

I had no idea that I granted them permission to send email through my account, I thought I had restricted them to the address book. I made a mistake.

You don't think that giving an address book full of good addresses to known spammers is a bad idea?

Oh, it's okay as long as they send messages to those contacts using their identity, so it's not traced back to you ...

Just the address book would have been enough to allow most of the shenanigans described in this thread? Now LI know a bunch of other people that might recognize your name, and that's really all they need.

The part that really pissed me off was how they sent emails through my gmail account. They essentially hijacked my account to spam people.

I completely agree. It still happened to me. Like lots of other people here, I don't quite know how.

I sent a message to support saying "I never gave you permission to do this" and they took the time to reply and say "yes you did".

This is my problem with social-network-based SSO solutions. Why would I sign into your service with Twitter when you request the right to post on my behalf? (I've been burned by that. Never again.)

I heartily recommend everyone with a Google account follow that link and double-check your security and allowed app settings. (Also take some time to go through your app-specific passwords and revoke any that aren't relevant anymore.)

In addition to being good practice in and of itself, Google is currently doing a promotion where they'll increase your Google Drive space by 2 GB if you go through their security checklist (see link below):


But if you refuse to give them your phone no. - for much the same reasons you should be hesitant about giving LinkedIn your email address - then it is impossible to complete the check. No 2GB for me, then!

I feel victim to this a while back and documented it here: http://marknugent.tumblr.com/post/98203319356/linkedins-evil...

Thank you. I posted that on LinkedIn to spread the word.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact