LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts 210
cold fjord writes with this Business Week report: "LinkedIn Corp. ... was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts' addresses. The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site ... 'LinkedIn's own website contains hundreds of complaints regarding this practice,' they said in the complaint filed Sept. 17. ... LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open ... 'LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn's servers,' they said. 'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'"
"This puts an interesting twist on LinkedIn's recent call for transparency," adds cold fjord. (More at Bloomberg.)
This happened to me (Score:5, Informative)
It was embarrassing and prompted me to close the account. Clearly a violation of privacy. I think at the time I used the same password as for my email account.
Re:What the hell is "left open"? (Score:5, Informative)
They probably exploited that many of their customers used the same password for their site and the email account.
Which makes the linked-in customers idiots. However: if this is what linked-in have done then they should be prosecuted to the fullest extent of the law, in the UK that would be under the computer misuse act [wikipedia.org], those responsible should be extradited from the USA if necessary. I am not talking about some minion in a technical department but the director who was responsible.
Someone didn't read the screen, methinks. (Score:5, Informative)
I know LinkedIn offers to read your existing email accounts for contacts, so that you can connect to them, but you can just ignore that. It isn't mandatory, but if you don't read what it says on screen, you might think it is. So I'm more inclined to suspect that's what happened: the complainant entered his email address and password when prompted, and now thinks he's been hacked.
Re:Fuck class action (Score:2, Informative)
I pleadge allegiance to the flag of the united states of America and to the republic which it stands one nation under god indivisible with liberty and justice for ALL.
Is an national embarrassment and a flat out lie. Its Liberty and Justice for all who can afford it.
Re:Doesn't make sense (Score:5, Informative)
Their client side code is running in the same web browser than the user logged in to that user's web based email with. It's a browser security issue. Once they know the domain in your email address, they know how to watch you for when you login to your email web site. They don't need the password since it is already logged in. They can't get the password used, but they can get the email contact list, and the contents of the email you are currently reading.
Re:This happened to me (Score:4, Informative)
Do not use the same browser for LinkedIn as for any web based email. Note that separate windows doesn't count as separate browsers. Unless you know how to start browsers in a truly separate way, you're better off using separate userids in your computer for each web site that might do this (lots of them).
Re:Doesn't make sense (Score:4, Informative)
Re:Doesn't make sense (Score:4, Informative)
The part after "@" gives them all the info they need (e.g. @gmail.com @yahoo.com).
No, it doesn't. That gives you enough info to look up the MX (or if lacking that, A) records in DNS to find out where to send mail to. It doesn't tell the address of the server where the user accesses the delivered mail.
I'm myname@somecompany.com, but to fetch mail, I have to go to na-pop3.othercompany.com
And even then, there's no address book available over the pop3 protocol. Just my mail.
Re:I think they are using the mobile apps (Score:4, Informative)
LastPass.