LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts 210
cold fjord writes with this Business Week report: "LinkedIn Corp. ... was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts' addresses. The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site ... 'LinkedIn's own website contains hundreds of complaints regarding this practice,' they said in the complaint filed Sept. 17. ... LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open ... 'LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn's servers,' they said. 'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'"
"This puts an interesting twist on LinkedIn's recent call for transparency," adds cold fjord. (More at Bloomberg.)
This happened to me (Score:5, Informative)
It was embarrassing and prompted me to close the account. Clearly a violation of privacy. I think at the time I used the same password as for my email account.
Re:This happened to me (Score:5, Funny)
Re:This happened to me (Score:4, Informative)
Do not use the same browser for LinkedIn as for any web based email. Note that separate windows doesn't count as separate browsers. Unless you know how to start browsers in a truly separate way, you're better off using separate userids in your computer for each web site that might do this (lots of them).
Re: (Score:2)
Re: (Score:2)
Do not use the same browser for LinkedIn as for any web based email. Note that separate windows doesn't count as separate browsers.
How about "New Incognito Window" (Chrome) / "Start InPrivate browsing" ?
Someone didn't read the screen, methinks. (Score:5, Informative)
I know LinkedIn offers to read your existing email accounts for contacts, so that you can connect to them, but you can just ignore that. It isn't mandatory, but if you don't read what it says on screen, you might think it is. So I'm more inclined to suspect that's what happened: the complainant entered his email address and password when prompted, and now thinks he's been hacked.
Re:Someone didn't read the screen, methinks. (Score:5, Insightful)
Re: (Score:3)
> These people probably did this and forgot that they did so.
Actually that's about the only thing I remember now.
Since we are talking about LinkedIn, what do you guys do with the flurry of all those "endorsement" that started several months ago? I suspect those are just from people randomly pressing buttons on their screens, because I got those from people who have no idea what I am doing right now.
I feel uneasy not reciprocating to those but so far I am standing my ground. May be I am the black sheep of
Re: (Score:3)
Since we are talking about LinkedIn, what do you guys do with the flurry of all those "endorsement" that started several months ago? I suspect those are just from people randomly pressing buttons on their screens, because I got those from people who have no idea what I am doing right now.
I feel uneasy not reciprocating to those but so far I am standing my ground. May be I am the black sheep of my network because of that....
Like anything else concerned with my work history/resume, I treat it with honesty.
If I personally know somebody is really good at something, I'll endorse them. Otherwise, it doesn't matter how good a friend they are, I won't. To be honest, I'd like there to be a "negative endorsement" system, too. Since only direct links would be allowed to do this, it would make people only link to people they really have a connection to, and would keep people more honest about their skills.
Re: (Score:2)
A lot of the time when you log in it gives you a bunch of recommended endorsements and you can just say sure, endorse them all. Or go through hundreds of them and pick and choose. Or just ignore the whole thing. I get endorsements from people who have no idea what I actually do, so I'm thinking a lot of people just pick option 1.
Re:Someone didn't read the screen, methinks. (Score:4, Insightful)
" LinkedIn offers to read your existing email accounts for contacts, so that you can connect to them"
LinkedIn users an too stupid to email and connect to Their friends on Their own?? This isn't a service, its email address spidering scam
Re: (Score:2)
However, if LinkedIn can figure out where you login to to read your email, which is not hard to do, AND if you are logged in to your email when they try to login as you with the same browser, then THEY can get it because it is your browser that is logging in. Wanna see how that works? Login to your email, then press Ctrl+N and make a new browser, and login to your email from the new browser. Hint: it's just a window on the same browser.
They don't need your password.
Re: (Score:3)
Cookies are bound to domains, and JS isn't allowed to cross domains (same origin policy). So yes, you can open a new tab or window and get into your mail without a login, but no, another site in another tab can't just suck down that data. Well, unless they're using an XSS exploit or something, but that would be what they're being accused of :)
Re: (Score:2)
If only this level of security were true in all browsers and versions. Maybe some day it will be.
Re: (Score:2)
No, they do not even need to know your password. They have your email address as you have to give them one to open the account. With that they will access your contacts even with your password. You can change your password to try and stop them but they will still contact new people that you add to your contacts. I believe that there is collusion going on with Yahoo/Gmail/Hotmail etc.
Re: (Score:2)
Also isn't this exactly what Facebook does/did?
Fuck class action (Score:2)
If we are going to be a 'nation of laws' then we need stop being hypocritical in their application. But of course, the law is typically made to bully the small guy to the betterme
Re: (Score:2, Informative)
I pleadge allegiance to the flag of the united states of America and to the republic which it stands one nation under god indivisible with liberty and justice for ALL.
Is an national embarrassment and a flat out lie. Its Liberty and Justice for all who can afford it.
Re:Fuck class action (Score:4, Insightful)
No, you are wrong, no 'all' students, only US students. We don't have that 3rd world stuff in the UK.
Re: (Score:2)
And this annoyed me greatly because my non-US citizen children were required to take part in this when in a state school in the USA.
Re: (Score:2)
It is not hacking if you granted them permission [google.com] to do it.
Re: (Score:2)
Data Mining or Cyber-Yenta? (Score:4, Funny)
I certainly noticed LinkedIn had access to my email sent-lists, but after logging into it a thousand times it's hard to know for sure I didn't check, or fail to check, a box that comes up asking my permission to do so. It just takes one time. Maybe this case will succeed, I'm afraid I've succumbed to thinking we have no more privacy or right to cover our tracks than we did walking past gossipy women in medieval villages. LinkedIn, Google, and Facebook have become the modern day cyber-Yentas, sometimes aggravatingly meddlesome, sometimes making a lifelong connection.
Submitted by Anonymous Coward on Saturday September 21, 2013 @09:55AM. Oh shoot...
99% sure I can explain what happened here (Score:5, Interesting)
Here's what I think happened to me (as best I can remember...I'm not about to try to reproduce it): Yeah, sure, look for my contacts (provide Gmail username/password...all assurances are given they won't email anyone without your permission blah blah). LinkedIn shows you a list of a few dozen (IIRC) contacts in a frame (possibly those you most recently exchanged email with?); I deselected all of those and then carefully went through and selected a very small subset I actually wanted to "connect to." Once I've done that, I hit submit (or whatever) and get some confirmation, "We're going to send the invite, okay?" Yeah, sure...it's only sending to a few people, right? SOMEWHERE on that confirmation (again, IIRC) is a checkbox that alludes to the fact that, oh? All the contacts you DIDN'T unselect--IN YOUR ENTIRE CONTACTS LIST--are gonna get an email. Got to the next screen and it said something like "200 emails sent" and the expletives flew. (I can see missing that message...it was small.) Of course I was doing this process while I was watching TV or something--it didn't have my full attention--but the behavior was SO counter to my expectations of opting-in I was floored.
I can see why users would think LinkedIn "stole their contacts when their email was left open"--they're thinking that subset-selecting frame is the only time LinkedIn is (transparently) accessing their account (and therefore shouldn't do anything with contacts that don't appear in that frame, which makes sense in terms of user expectation).
Re: (Score:2)
provide Gmail username/password.
Err, what? Not only did you violate the Gmail terms of service by providing the password to another entity, but if that was also your employer's hosted e-mail service then that is most likely grounds for discipline and / or termination.
Why would you EVER enter your mail password anywhere other than.. your mail provider? WHY?
Re: (Score:2)
Err, what? Not only did you violate the Gmail terms of service by providing the password to another entity,
My thoughts exactly - and if Slashdotters are doing this, it's a good bet everybody else is too, for large values of 'everybody'.
Here's what my friend says to fifth graders to get them to understand: "passwords are like underwear - don't share them with anybody else and change them frequently."
(though the 'change them' part may be obsolete at this point, but if they're going to share them anyway, proba
Re: (Score:2)
Re: (Score:2)
You can have LinkedIn import your email contacts for 'contact suggestions'
This is a case of confusing UI defaults
I think there is a case for calling this Social Engineering [wikipedia.org].
LinkedIn is a joke (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
How is that possible. I have a LinkedIn account I never really use, but I thought you had to accept someones invite before they could recommend you, etc. Is that not the case?
Yes, that is the case...a direct link to someone is required to endorse them.
Unlike Facebook, unless you really know these people directly, you shouldn't be linked to them. The whole point of LinkedIn (and what got me my current job) is that you use the people you do know to connect to someone you don't so that you can then develop a real relationship with them to help you in your business (either by getting you a job or by finding someone you can hire). It's just like having your friend introduce you to
I simply don't do any email from the browser ... (Score:2)
... I use to login to LinkedIn. That way THEIR web client code can't get into my web based email (more than one site) using holes in the browser. For each site I have configured, there is a separate virtual HOME directory the browser is using, so things like cookies and browser processes are fully separated. I can log in to LinkedIn with one process and log in to Gmail with another process and there's no information going between. I can even login to 2 or more different Gmail accounts at the same time u
Re: (Score:2)
Re: (Score:2)
A truly fully secure browser would prevent them from even knowing if you use email at all, and certainly not let them get to your email.
Something Odd (Score:5, Interesting)
Re: (Score:2)
There is no possible way they could have accessed my email
The thought just occurred to me, that they don't need to access your email. Suppose you send an email to 10 people, and one of those 10 people lets Linked In access their email. Now they can pair off you with each of those 10 people, and suggest that each of these 10 people should connect with you, and that you should connect with them.
Your "friends" are likely to blame (Score:2)
Re: (Score:2)
That's because, if you look at your Google+ settings, it has a feature that lets you share your location with your circles and contacts. Whether your location is shared or not, and with who, is under your control, but Maps needs to read your contact list to know who's in it so it knows who's eligible to see your location since it's the app on the phone that handles monitoring and updating your location.
This can be both intrusive and useful. If I were making a cross-country trip I'd likely enable location sh
Re: (Score:2)
The answer is likely "the other people". You know how Facebook knows everything about you despite not having an account? Other people search for you (establishing that they know you), tag you in pictures (establishing what you look like), helpfully give up your phone number and, so on...
These doctors, lawyers, and business associates have likely searched for you on LinkedIn and that's how they know. (Or they volunteered their address book and you're listed in it.) Good security practices and social networki
Re: (Score:2)
Re: (Score:2)
They likely aren't searching for nefarious reasons, but are just curious about something or other. That's not to say that it's appropriate, though.
As for the confidentiality, I think we've really hit on one of the scarier aspects of social media. I doubt that they know or would ever really understand that searching for something leaks so much information. It seems innocuous, like flipping through a phone book, but it's closer to calling up your local spy agency and asking if they have a file on someone. The
Wait, You stayed logged into Gmail (Score:3, Interesting)
And you got displayed an allow application screen Stating "The site www.linkedin.com is requesting access to your Google Account for the product(s) listed below. ....
Google Contacts
And you clicked Grant Access: possibly without reading and understanding the fine print of the service agreement, or clicking the LEARN MORE link
And your I don't really care about my privacy attitude is Linkedin "hacking" your account?
How is it fair to imply Linkedin has all the due care burden regarding your privacy, and YOU HAVE NONE?
If you don't care about your privacy you are eventually going to get burned
They could have posted a privacy policy stating We can share all your details, including personal identifying information, browsing history, click history, ALL EMAIL MESSAGES IN YOUR MAILBOX, Sent Mail, Mail folders, etc, with anyone and everyone; at our sole discretion, and you would have never noticed.
Re: (Score:2)
Likely not what the plaintiffs think (Score:2)
I know LinkedIn isn't doing it to me, because the IMAP/SMTP server I use for e-mail doesn't have my contacts on it. IMAP and SMTP don't even have the concept of contacts or an address book. End of problem.
Likely the LinkedIn users in question use a webmail service like GMail and gave LinkedIn access to their e-mail account to import their contacts. You get asked for this when setting up your LinkedIn account, and if you're using a browser that's logged into Google the LinkedIn site may try to get access dir
I have never given linkedin my email password (Score:2)
...even though it continually nags me for it. I know several people who linkedin has connected to me online only because they let the system into their email.
I can see it happening (Score:2)
Maybe they were accessing a cookie? (Score:2)
Maybe they used a cookie for an email session that was already opened by the browser?
Comment removed (Score:5, Interesting)
I think they are using the mobile apps (Score:5, Interesting)
I am in a similar situation where I have a couple of Google Apps accounts that I ONLY use for work-related purposes. NOTHING ELSE. Never authorise anything to use them keep it all on my personal. Sure enough LinkedIn has slurped some contacts from sent items. I use different passwords for everything. I hardly have even used LinkedIn, much less with a work related email account open (I hardly open them). The ONLY way they could have stole it (That is the only thing running at the same time) would be a mobile app either from my Android or iOS device. I have these work accounts set up permanently on these devices and foolishly it seems loaded the LinkedIn app.
Funny enough ALL these email accounts have been getting spam lately from "Dr OZ" to their actual address, which is strange when I use disposable email addresses for EVERYTHING, including client contact. The only thing I use the actual address for is to log in and set up the mail client. These email addresses must have been slurped from a mobile app, not sure if it was LinkedIn or another app.
Comment removed (Score:5, Interesting)
Re: (Score:2)
Whats the chances you use the same password for all these throw away accounts? You claim you don't, but since you claim use throw away accounts often, it seems likely you would have to consolidate your password list to something very short.
If you did that, chances are you also used the same password for your LinkedIn account. Just sayin.
Re:I think they are using the mobile apps (Score:4, Informative)
LastPass.
can not access my contact list (Score:2)
After this happened with my yahoo contact list, I changed my linkedin e-mail to a non-yahoo email. I received a message from linkedin that they could not access my contact list and they told me to change my e-mail service provider.
Re: (Score:2)
Maybe they used a cookie for an email session that was already opened by the browser?
If that is so, than the web-based e-mail provider have a very serious XSS+CSRF (Cross-site Request Forgery) issue.
If Linkedin can do it, then so can any malicious website you happen to click on in Outlook.
Re: (Score:3)
"Maybe they used a cookie for an email session that was already opened by the browser?"
Unlikely.
If they were doing this at all, I'd give you 10 to 1 they were just trying the external email accounts using the same passwords the users use on LinkedIn. That's easy, and it would likely have a success rate of 50% or even more.
More troubling: if that's what they did it implies that LinkedIn stores your password in plaintext somewhere.
Re: (Score:3)
And even more troubling, it would be a serious violation of the law in many states to do so.
Just because you learn both my email address and password doesn't give you authority to log in.
If Google can prove they did log in, that alone might be enough for a huge lawsuit.
Personally I suspect the Linkedin Android App slurps your addresses from the phone, but I'n not about to install it and find out.
My spam folder is full of Linkedin invitations.
Re: (Score:2)
"Personally I suspect the Linkedin Android App slurps your addresses from the phone, but I'n not about to install it and find out.
My spam folder is full of Linkedin invitations."
Good point. I hadn't considered the Android app. Those things need better security + privacy controls.
The hell of it is, everybody denies it, but Google purposely designed Android to give access to users' data. (Just like it purposely designed Google to slurp users' data at every opportunity.)
That's why I'm seriously considering CyanogenMod for my phone. It's an "open source" environment that really is open.
Re: (Score:2)
As a long-time Cyanogenmod user, I've got to ask:
Cyanogenmod helps this problem...how, exactly?
Re: (Score:2)
Or just tried the person's linkedin password for accessing the email.
Re: (Score:2)
They probably exploited that many of their customers used the same password for their site and the email account. After that it's just a matter of scraping web interfaces (Google, Yahoo, Exchange, ...) for the contact data.
Re:What the hell is "left open"? (Score:5, Informative)
They probably exploited that many of their customers used the same password for their site and the email account.
Which makes the linked-in customers idiots. However: if this is what linked-in have done then they should be prosecuted to the fullest extent of the law, in the UK that would be under the computer misuse act [wikipedia.org], those responsible should be extradited from the USA if necessary. I am not talking about some minion in a technical department but the director who was responsible.
Re: (Score:2, Insightful)
Wouldn't that also imply clear-text password storage at the LinkedIn end? In itself quite a bad revelation if that is the case.
Re: (Score:3)
Re: (Score:3, Interesting)
Re: (Score:2, Funny)
Help help, I am the real Astronomerguy. The person above hacked my LinkedIn account. Please contact Cyberpolice.
Re:What the hell is "left open"? (Score:5, Insightful)
I already forgot what I did on Linkedin when I joined it several years ago, but didn't we all gave them our contact lists voluntarily so they will check if our acquaintances have it? May be I am confusing this with Google+
Re: (Score:2)
> Which makes the linked-in customers idiots.
They're not customers anymore than cattle are customers for the slaughterhouse. Their main customers are recruiters.
Re: (Score:2)
They tried using people's linkedin passwords for their email accounts, and since many people reuse passwords they got in.
Re: (Score:2)
If this can be proved, it's a violation of CFAA -- unless you gave them permission to get contacts from your accounts. Does anybody read that mess of legalese in the terms of service you agree to when you join/connect to LinkedIn?
Re: (Score:2)
unless you gave them permission to get contacts from your accounts.
The users probably did by not unchecking a checkbox somewhere.
Re: (Score:3)
Which would require clear text storage of LinkedIn passwords. In 2012 when there was a compromise, LinkedIn claimed that they stored an unsalted hash.
Re: (Score:2)
Which would require clear text storage of LinkedIn passwords. In 2012 when there was a compromise, LinkedIn claimed that they stored an unsalted hash.
Not necessarily. When the user creates an account or anytime the user logged in LinkedIn could use the password they received to do the email login. It doesn't matter that the password is stored as a hash.
Re: (Score:2)
"an unsalted hash", not "only an unsalted hash". Seems like they used the plaintext password to access people's email accounts and then discarded them, keeping only the hashes.
Re:What the hell is "left open"? (Score:4, Interesting)
Not quite true. When I opened a Facebook account several years ago, I registered using my Yahoo account. I know how often I have changed my password and there are some specific times when I have changed all my passwords when I have had a virus or a rabid g/f using my computer. Facebook manages to recommend people that have been added to my Yahoo contacts since the password has been changed and they have no legitimate way of knowing who I add. I only use Yahoo for work contacts and use Gmail for my friends but none of my new Gmail contacts get recommended to me. The contacts on Yahoo are not contacts of my friends who are contacts on Gmail. I am absolutely certain that Facebook has access to my Yahoo contacts in the way that these guys are certain that LinkdIn is doing to them. I assume that Yahoo etc. allow this to happen and now I always use throw away address.
Re:What the hell is "left open"? (Score:5, Insightful)
I'd say it's more likely that one of your friends is allowing Facebook to scrape their email account and you are getting associated in that way. There's no need for them to hack your account when they can get all that data from someone else. No matter how much we try to keep our privacy, it's easily destroyed when one of our connections gives up all their data.
This is true (Score:3)
This is true. That is exactly what they do. They even check CC: headers to see what sort of link you have and weed out the mailing list sender addresses and stuff. Since the amount of people allowing LinkedIn access to their account is so big, even if you don't give them access to yours, they will still be able to figure out about 80% of your contact list. This company is extremely good at "Big Data" and correlating it. It's why their platform is the most popular and by far the biggest "business contact" so
Re: (Score:2)
When I login to my Linked-in account I'm given the option to supply them with my email credentials.
http://s3.danscomp.net/linked-in_email_login.jpg [danscomp.net]
Pretty obvious that you're handing them access to your email account. The plaintiffs are idiots.
Re: (Score:3)
'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'
Re: (Score:3)
Uh, better yet, Don't use LinkedIn it's a dumping ground for people who pad their Resumes (CVs).
Re: (Score:2)
... AND do not login to your email using the same browser you login to LinkedIn with. Unfortunately, most people use the same browser. Sue the browser maker and get the money back that you paid for the insecure browser.
Re: (Score:3)
I do use the same browser to log into gmail as I use for LinkedIn, yet, LinkedIn has never mined my gmail contacts. LinkedIn keeps nagging me to give it my gmail password so that it can mine my gmail contacts and I nearly did this once because of the less than clear information on the page. So, for the people who are complaining, either:
1. LinkedIn tried using their LinkedIn password against theim email login, or:
2. they m
Re: (Score:2)
Re:Doesn't make sense (Score:4, Informative)
The part after "@" gives them all the info they need (e.g. @gmail.com @yahoo.com).
No, it doesn't. That gives you enough info to look up the MX (or if lacking that, A) records in DNS to find out where to send mail to. It doesn't tell the address of the server where the user accesses the delivered mail.
I'm myname@somecompany.com, but to fetch mail, I have to go to na-pop3.othercompany.com
And even then, there's no address book available over the pop3 protocol. Just my mail.
Re: (Score:2)
Re: (Score:2)
This gives them enough to access the email where the browser itself is logged in to.
Re: (Score:2)
Re:Doesn't make sense (Score:5, Informative)
Their client side code is running in the same web browser than the user logged in to that user's web based email with. It's a browser security issue. Once they know the domain in your email address, they know how to watch you for when you login to your email web site. They don't need the password since it is already logged in. They can't get the password used, but they can get the email contact list, and the contents of the email you are currently reading.
Re:Doesn't make sense (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
I think that the various companies collude.
Re: (Score:2)
I think that the various companies collude.
If so, wouldn't it be a lot simpler for them to just send each other the address lists, instead of enabling a company to take advantage of browser insecurities to perhaps glean that information?
Re: (Score:3, Insightful)
Working in the Corporate world, I've seen this happen to people before. They sign up on LinkedIn, suddenly everyone on their contacts list starts getting "invites".
All the examples I've personally seen were people who accessed LinkedIn on a smartphone. One co-worker suddenly started spamming invites to a couple distribution lists at the company.... he had just logged in using his work-supplied phone and it scraped his contact list. And since he's always 'logged in' with the work email, it started scraping t
Re: (Score:2)
my money would be on the mobile app
I looked at it and the permissions and refuse to bo near it again.
wants to k iw and access everything
Now this makes a lot more sense than having a bot impersonate people on dozens of different webmail accounts with different authentication schemes, different methods of accessing the address book (if it exists). The latter would not only be considered a felony most places, but it also would be really hard to program so it would give a decent yield or not be detected.
A mobile app, on the other hand, which the user stupidly gives explicit access to read your address book, now that's giving it away. Immoral,
root your Android... (Score:2)
Re: (Score:2)
Except those same permissions are in chrome, opera, dolphin, Firefox... So you just don't use a web browser then?
No, they're not. Opera doesn't require access to your accounts, for example. And the Android Browser doesn't require access to your hardware.
Someone should set up a grid where you can compare the permissions you have to give each app, because they're definitely not the same.
Re: (Score:2)
Click-through contracts are bullshit, just like read-through contracts where by reading to the end of this sentence you agree to give me $10,000.
Re: (Score:2)
I know that it is not done on /. to RTFA but follow the flow of the discussion at least. You can 'READ' what it says, and they say they will not contact anyone without your permission. That is the contract. You can decline the option of letting them access your contacts, they still will. Then you can change your password to stop them, they still will. Without you permission or your password, that is hacking. I think that collusion is actually more likely as all these companies are address farms and th
Re:Dead mom (Score:5, Interesting)
I've seen other names come up in LinkedIn that could only be via my Google contacts.
Or, LinkedIn could just have an insanely good algorithm. I was recently presented with a "someone you might know" when I logged in to LinkedIn, and I did know them, but I have no clue how LinkedIn figured it out.
They had just joined LinkedIn in the past week. They used a different e-mail address (different provider/domain) from the one I contact them with and the e-mail address they contact me with isn't the one that LinkedIn has for me. I don't use any webmail (host my own e-mail and access via imap) and so LinkedIn can't get any contacts from me, even if they did "hack my e-mail" (which is unlikely as my e-mail username isn't the e-mail address they have for me and the password for my actual account isn't the same as my LinkedIn login). All of their links at the time were people from their new work (I don't work with them...they are just a friend).
So, basically, LinkedIn had no direct way to connect us, yet it did.
Re: (Score:2)
You should flag them as what they are: spam. If this is done regularly the filters might pick up on it, along with blacklists.
Re: (Score:3)
The problem is that mostly this stuff is given voluntarily. It's just not given by you. You voluntarily connect with person A, for good reasons. And then person A for reasons that seem good to them (maybe because in their work the connections they have has an impact on their income) makes it public that they're connected to you. Then for good reasons they connect to person B. And person B is careless, or doesn't think, and they let a site siphon up their connections. Presto, that site now knows about your c