Forgot your password?
typodupeerror
Social Networks Privacy The Courts

LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts 210

Posted by timothy
from the unending-spam-source dept.
cold fjord writes with this Business Week report: "LinkedIn Corp. ... was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts' addresses. The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site ... 'LinkedIn's own website contains hundreds of complaints regarding this practice,' they said in the complaint filed Sept. 17. ... LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open ... 'LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn's servers,' they said. 'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'" "This puts an interesting twist on LinkedIn's recent call for transparency," adds cold fjord. (More at Bloomberg.)
This discussion has been archived. No new comments can be posted.

LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

Comments Filter:
  • This happened to me (Score:5, Informative)

    by Duncan J Murray (1678632) on Saturday September 21, 2013 @09:38AM (#44911257) Homepage

    It was embarrassing and prompted me to close the account. Clearly a violation of privacy. I think at the time I used the same password as for my email account.

  • by stereoroid (234317) on Saturday September 21, 2013 @09:44AM (#44911289) Homepage Journal

    I know LinkedIn offers to read your existing email accounts for contacts, so that you can connect to them, but you can just ignore that. It isn't mandatory, but if you don't read what it says on screen, you might think it is. So I'm more inclined to suspect that's what happened: the complainant entered his email address and password when prompted, and now thinks he's been hacked.

    • by Greg01851 (720452) on Saturday September 21, 2013 @09:46AM (#44911301)
      Exactly my thoughts. You can have LinkedIn import your email contacts for 'contact suggestions' https://www.linkedin.com/fetch/importAndInviteEntry?trk=nav_responsive_sub_nav_add_connections [linkedin.com] These people probably did this and forgot that they did so.
      • by mapkinase (958129)

        > These people probably did this and forgot that they did so.

        Actually that's about the only thing I remember now.

        Since we are talking about LinkedIn, what do you guys do with the flurry of all those "endorsement" that started several months ago? I suspect those are just from people randomly pressing buttons on their screens, because I got those from people who have no idea what I am doing right now.

        I feel uneasy not reciprocating to those but so far I am standing my ground. May be I am the black sheep of

        • by nabsltd (1313397)

          Since we are talking about LinkedIn, what do you guys do with the flurry of all those "endorsement" that started several months ago? I suspect those are just from people randomly pressing buttons on their screens, because I got those from people who have no idea what I am doing right now.

          I feel uneasy not reciprocating to those but so far I am standing my ground. May be I am the black sheep of my network because of that....

          Like anything else concerned with my work history/resume, I treat it with honesty.

          If I personally know somebody is really good at something, I'll endorse them. Otherwise, it doesn't matter how good a friend they are, I won't. To be honest, I'd like there to be a "negative endorsement" system, too. Since only direct links would be allowed to do this, it would make people only link to people they really have a connection to, and would keep people more honest about their skills.

        • by ahodgson (74077)

          A lot of the time when you log in it gives you a bunch of recommended endorsements and you can just say sure, endorse them all. Or go through hundreds of them and pick and choose. Or just ignore the whole thing. I get endorsements from people who have no idea what I actually do, so I'm thinking a lot of people just pick option 1.

    • by Stan92057 (737634) on Saturday September 21, 2013 @10:03AM (#44911371)
      Think about that for a second

      " LinkedIn offers to read your existing email accounts for contacts, so that you can connect to them"

      LinkedIn users an too stupid to email and connect to Their friends on Their own?? This isn't a service, its email address spidering scam
    • by Skapare (16644)

      However, if LinkedIn can figure out where you login to to read your email, which is not hard to do, AND if you are logged in to your email when they try to login as you with the same browser, then THEY can get it because it is your browser that is logging in. Wanna see how that works? Login to your email, then press Ctrl+N and make a new browser, and login to your email from the new browser. Hint: it's just a window on the same browser.

      They don't need your password.

      • by radish (98371)

        Cookies are bound to domains, and JS isn't allowed to cross domains (same origin policy). So yes, you can open a new tab or window and get into your mail without a login, but no, another site in another tab can't just suck down that data. Well, unless they're using an XSS exploit or something, but that would be what they're being accused of :)

        • by Skapare (16644)

          If only this level of security were true in all browsers and versions. Maybe some day it will be.

    • by Zemran (3101)

      No, they do not even need to know your password. They have your email address as you have to give them one to open the account. With that they will access your contacts even with your password. You can change your password to try and stop them but they will still contact new people that you add to your contacts. I believe that there is collusion going on with Yahoo/Gmail/Hotmail etc.

    • Also isn't this exactly what Facebook does/did?

  • If they accessed email accounts without consent, then it is criminal action, and should be treated accordingly. The managers who signed off on such behaviors and any techs who performed them or created tools to, should be charged and tried with whatever hacking statutes apply. Then the company should be made to pay the victims.

    If we are going to be a 'nation of laws' then we need stop being hypocritical in their application. But of course, the law is typically made to bully the small guy to the betterme

    • Re: (Score:2, Informative)

      by Stan92057 (737634)
      When we were student and all student say every morning

      I pleadge allegiance to the flag of the united states of America and to the republic which it stands one nation under god indivisible with liberty and justice for ALL.

      Is an national embarrassment and a flat out lie. Its Liberty and Justice for all who can afford it.
    • by mysidia (191772)

      It is not hacking if you granted them permission [google.com] to do it.

      • by Velex (120469)
        Exactly. I'm sick and tired of things people do on computers that they can't be bothered to think all the way through because computers are supposed to be these magical boxes being called "hacking."
  • by retroworks (652802) on Saturday September 21, 2013 @09:57AM (#44911339) Homepage Journal

    I certainly noticed LinkedIn had access to my email sent-lists, but after logging into it a thousand times it's hard to know for sure I didn't check, or fail to check, a box that comes up asking my permission to do so. It just takes one time. Maybe this case will succeed, I'm afraid I've succumbed to thinking we have no more privacy or right to cover our tracks than we did walking past gossipy women in medieval villages. LinkedIn, Google, and Facebook have become the modern day cyber-Yentas, sometimes aggravatingly meddlesome, sometimes making a lifelong connection.

    Submitted by Anonymous Coward on Saturday September 21, 2013 @09:55AM. Oh shoot...

  • by JoyW (746243) * on Saturday September 21, 2013 @09:59AM (#44911347)
    This is a case of confusing UI defaults, I think, but given that *I* also got caught by it (and was mortified), even though LinkedIn isn't "hacking" anybody, I don't have a lot of sympathy for them (LinkedIn--have enormous sympathy with the users, even though I suspect their case won't stand up in court).

    Here's what I think happened to me (as best I can remember...I'm not about to try to reproduce it): Yeah, sure, look for my contacts (provide Gmail username/password...all assurances are given they won't email anyone without your permission blah blah). LinkedIn shows you a list of a few dozen (IIRC) contacts in a frame (possibly those you most recently exchanged email with?); I deselected all of those and then carefully went through and selected a very small subset I actually wanted to "connect to." Once I've done that, I hit submit (or whatever) and get some confirmation, "We're going to send the invite, okay?" Yeah, sure...it's only sending to a few people, right? SOMEWHERE on that confirmation (again, IIRC) is a checkbox that alludes to the fact that, oh? All the contacts you DIDN'T unselect--IN YOUR ENTIRE CONTACTS LIST--are gonna get an email. Got to the next screen and it said something like "200 emails sent" and the expletives flew. (I can see missing that message...it was small.) Of course I was doing this process while I was watching TV or something--it didn't have my full attention--but the behavior was SO counter to my expectations of opting-in I was floored.

    I can see why users would think LinkedIn "stole their contacts when their email was left open"--they're thinking that subset-selecting frame is the only time LinkedIn is (transparently) accessing their account (and therefore shouldn't do anything with contacts that don't appear in that frame, which makes sense in terms of user expectation).
    • provide Gmail username/password.

      Err, what? Not only did you violate the Gmail terms of service by providing the password to another entity, but if that was also your employer's hosted e-mail service then that is most likely grounds for discipline and / or termination.

      Why would you EVER enter your mail password anywhere other than.. your mail provider? WHY?

      • Err, what? Not only did you violate the Gmail terms of service by providing the password to another entity,

        My thoughts exactly - and if Slashdotters are doing this, it's a good bet everybody else is too, for large values of 'everybody'.

        Here's what my friend says to fifth graders to get them to understand: "passwords are like underwear - don't share them with anybody else and change them frequently."

        (though the 'change them' part may be obsolete at this point, but if they're going to share them anyway, proba

    • by Solandri (704621)
      There's more going on than that. I have an informal email list set up with a few friends. It's basically a simple forwarder - anything sent to list@example.com gets resent to everyone in the mailing list. Somehow list@example.com ended up with a linkedin account, and we were getting emails sent "from" list@example.com asking us to join linkedin. I never saw a mail inviting list@example.com to join linkedin, the first linkedin-related mail I got was "from" list@example.com asking me to join linkedin. I
    • by fgouget (925644)

      You can have LinkedIn import your email contacts for 'contact suggestions'

      This is a case of confusing UI defaults

      I think there is a case for calling this Social Engineering [wikipedia.org].

  • by paiute (550198) on Saturday September 21, 2013 @10:06AM (#44911389)
    When random people I know only slightly and who don't know my skill set are allowed to "endorse" me for knowledge and training they don't know that I have, it makes the whole of LinkedIn worthless to me except as a source of phone numbers. And often those are not even available. It has become Facebook with a clip-on tie.
    • How is that possible. I have a LinkedIn account I never really use, but I thought you had to accept someones invite before they could recommend you, etc. Is that not the case?
      • by nabsltd (1313397)

        How is that possible. I have a LinkedIn account I never really use, but I thought you had to accept someones invite before they could recommend you, etc. Is that not the case?

        Yes, that is the case...a direct link to someone is required to endorse them.

        Unlike Facebook, unless you really know these people directly, you shouldn't be linked to them. The whole point of LinkedIn (and what got me my current job) is that you use the people you do know to connect to someone you don't so that you can then develop a real relationship with them to help you in your business (either by getting you a job or by finding someone you can hire). It's just like having your friend introduce you to

  • ... I use to login to LinkedIn. That way THEIR web client code can't get into my web based email (more than one site) using holes in the browser. For each site I have configured, there is a separate virtual HOME directory the browser is using, so things like cookies and browser processes are fully separated. I can log in to LinkedIn with one process and log in to Gmail with another process and there's no information going between. I can even login to 2 or more different Gmail accounts at the same time u

    • I'm curious, would 2-factor authentication (a la Gmail) prevent them from accessing your account, or is this a XSS or browser session hijacking problem?
      • by Skapare (16644)

        A truly fully secure browser would prevent them from even knowing if you use email at all, and certainly not let them get to your email.

  • Something Odd (Score:5, Interesting)

    by smillie (30605) on Saturday September 21, 2013 @10:53AM (#44911621) Journal
    Linkedin suggests numerous names of people I know but have never exchanged emails with. It even suggested the name of my kid's girlfriend and kid's last name doesn't match mine and we have no common links on linkedin. I've limited my links to old co-workers from AT no family, no friends. There is no possible way they could have accessed my email because it requries an ssh login to a firewall server with a different userid and password, then an ssh connection to the mail server with yet another password. Those passwords are also different than my linkedin password. I'm not on any social media sites except linkedin and slashdot. Neither my slashdot name nor password matchs linkedin name or password. There has to be some data mining going on but it's not through email and not through any other social media. I have noticed that others from the companies I've worked for shown up in the suggestions including people I've never met. I'm not sure why they keep suggesting Texas people who worked for AT&T when I've only been in Michigan. It looks like they could have gotten my email contact list but I know they couldn't have. So I'm thinking that others seeing their email contacts show up might just be mistaken on how linkedin got the names.
    • by siwelwerd (869956)

      There is no possible way they could have accessed my email

      The thought just occurred to me, that they don't need to access your email. Suppose you send an email to 10 people, and one of those 10 people lets Linked In access their email. Now they can pair off you with each of those 10 people, and suggest that each of these 10 people should connect with you, and that you should connect with them.

    • One thing that has disturbed me is how quickly all my efforts to control information about me are quickly undone by a friend or coworker who doesn't care in the same way. All those apps and games on people's phones and tablets with "read contacts" permissions are building a network of information out of my control because people I know also maintain my contact information. For example, the latest google maps update requests the following permission be added - read your contacts. With further description
      • by Todd Knarr (15451)

        That's because, if you look at your Google+ settings, it has a feature that lets you share your location with your circles and contacts. Whether your location is shared or not, and with who, is under your control, but Maps needs to read your contact list to know who's in it so it knows who's eligible to see your location since it's the app on the phone that handles monitoring and updating your location.

        This can be both intrusive and useful. If I were making a cross-country trip I'd likely enable location sh

  • by mysidia (191772) on Saturday September 21, 2013 @12:02PM (#44911915)

    And you got displayed an allow application screen Stating "The site www.linkedin.com is requesting access to your Google Account for the product(s) listed below. ....
    Google Contacts

    And you clicked Grant Access: possibly without reading and understanding the fine print of the service agreement, or clicking the LEARN MORE link

    And your I don't really care about my privacy attitude is Linkedin "hacking" your account?

    How is it fair to imply Linkedin has all the due care burden regarding your privacy, and YOU HAVE NONE?

    If you don't care about your privacy you are eventually going to get burned

    They could have posted a privacy policy stating We can share all your details, including personal identifying information, browsing history, click history, ALL EMAIL MESSAGES IN YOUR MAILBOX, Sent Mail, Mail folders, etc, with anyone and everyone; at our sole discretion, and you would have never noticed.

    • by JoyW (746243) *
      Just had to do some experimenting...it's using OpenID and yes, it tells you it wants access to your contacts (of course...that's why you'd have opted to do that, right?) BUT the UI is very misleading--it's easy to send invites you didn't mean to send in that initial session, and worse, there's nothing that would suggest to users that if you give LinkedIn access in this way ONCE, it will continue to have access until you revoke its access in Google.
  • I know LinkedIn isn't doing it to me, because the IMAP/SMTP server I use for e-mail doesn't have my contacts on it. IMAP and SMTP don't even have the concept of contacts or an address book. End of problem.

    Likely the LinkedIn users in question use a webmail service like GMail and gave LinkedIn access to their e-mail account to import their contacts. You get asked for this when setting up your LinkedIn account, and if you're using a browser that's logged into Google the LinkedIn site may try to get access dir

  • ...even though it continually nags me for it. I know several people who linkedin has connected to me online only because they let the system into their email.

  • Linked in claims that it won't send e-mail to your contacts on your behalf without your permission. What they don't say is that they won't send e-mail to their existing members that happen to be in your contact list. They also don't claim that they won't exploit the knowledge that I am both in your contact list and an existing member. So, I have had a number of e-mails and web pages that list a particular individual as "somebody you may know" because she once answered a classified ad from her yahoo address

You are an insult to my intelligence! I demand that you log off immediately.

Working...