LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

cold fjord writes with this Business Week report: "LinkedIn Corp. ... was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts' addresses. The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site ... 'LinkedIn's own website contains hundreds of complaints regarding this practice,' they said in the complaint filed Sept. 17. ... LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open ... 'LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn's servers,' they said. 'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'" "This puts an interesting twist on LinkedIn's recent call for transparency," adds cold fjord. (More at Bloomberg.)

99% sure I can explain what happened here

[JoyW]

This is a case of confusing UI defaults, I think, but given that *I* also got caught by it (and was mortified), even though LinkedIn isn't "hacking" anybody, I don't have a lot of sympathy for them (LinkedIn--have enormous sympathy with the users, even though I suspect their case won't stand up in court).

Here's what I think happened to me (as best I can remember...I'm not about to try to reproduce it): Yeah, sure, look for my contacts (provide Gmail username/password...all assurances are given they won't email anyone without your permission blah blah). LinkedIn shows you a list of a few dozen (IIRC) contacts in a frame (possibly those you most recently exchanged email with?); I deselected all of those and then carefully went through and selected a very small subset I actually wanted to "connect to." Once I've done that, I hit submit (or whatever) and get some confirmation, "We're going to send the invite, okay?" Yeah, sure...it's only sending to a few people, right? SOMEWHERE on that confirmation (again, IIRC) is a checkbox that alludes to the fact that, oh? All the contacts you DIDN'T unselect--IN YOUR ENTIRE CONTACTS LIST--are gonna get an email. Got to the next screen and it said something like "200 emails sent" and the expletives flew. (I can see missing that message...it was small.) Of course I was doing this process while I was watching TV or something--it didn't have my full attention--but the behavior was SO counter to my expectations of opting-in I was floored.

I can see why users would think LinkedIn "stole their contacts when their email was left open"--they're thinking that subset-selecting frame is the only time LinkedIn is (transparently) accessing their account (and therefore shouldn't do anything with contacts that don't appear in that frame, which makes sense in terms of user expectation).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Something Odd

[smillie]

Linkedin suggests numerous names of people I know but have never exchanged emails with. It even suggested the name of my kid's girlfriend and kid's last name doesn't match mine and we have no common links on linkedin. I've limited my links to old co-workers from AT no family, no friends. There is no possible way they could have accessed my email because it requries an ssh login to a firewall server with a different userid and password, then an ssh connection to the mail server with yet another password. Those passwords are also different than my linkedin password. I'm not on any social media sites except linkedin and slashdot. Neither my slashdot name nor password matchs linkedin name or password. There has to be some data mining going on but it's not through email and not through any other social media. I have noticed that others from the companies I've worked for shown up in the suggestions including people I've never met. I'm not sure why they keep suggesting Texas people who worked for AT&T when I've only been in Michigan. It looks like they could have gotten my email contact list but I know they couldn't have. So I'm thinking that others seeing their email contacts show up might just be mistaken on how linkedin got the names.

Re:Dead mom

[nabsltd]

I've seen other names come up in LinkedIn that could only be via my Google contacts.

Or, LinkedIn could just have an insanely good algorithm. I was recently presented with a "someone you might know" when I logged in to LinkedIn, and I did know them, but I have no clue how LinkedIn figured it out.

They had just joined LinkedIn in the past week. They used a different e-mail address (different provider/domain) from the one I contact them with and the e-mail address they contact me with isn't the one that LinkedIn has for me. I don't use any webmail (host my own e-mail and access via imap) and so LinkedIn can't get any contacts from me, even if they did "hack my e-mail" (which is unlikely as my e-mail username isn't the e-mail address they have for me and the password for my actual account isn't the same as my LinkedIn login). All of their links at the time were people from their new work (I don't work with them...they are just a friend).

So, basically, LinkedIn had no direct way to connect us, yet it did.

Re:What the hell is "left open"?

[Astronomerguy]

Bah! Rushing through things. My AC post was the one where I declined to give them access to my contacts list and they disregarded my selection and spammed everyone whom I ever corresponded with.

Re:What the hell is "left open"?

[Zemran]

Not quite true. When I opened a Facebook account several years ago, I registered using my Yahoo account. I know how often I have changed my password and there are some specific times when I have changed all my passwords when I have had a virus or a rabid g/f using my computer. Facebook manages to recommend people that have been added to my Yahoo contacts since the password has been changed and they have no legitimate way of knowing who I add. I only use Yahoo for work contacts and use Gmail for my friends but none of my new Gmail contacts get recommended to me. The contacts on Yahoo are not contacts of my friends who are contacts on Gmail. I am absolutely certain that Facebook has access to my Yahoo contacts in the way that these guys are certain that LinkdIn is doing to them. I assume that Yahoo etc. allow this to happen and now I always use throw away address.

Wait, You stayed logged into Gmail

[mysidia]

And you got displayed an allow application screen Stating "The site www.linkedin.com is requesting access to your Google Account for the product(s) listed below. ....
Google Contacts

And you clicked Grant Access: possibly without reading and understanding the fine print of the service agreement, or clicking the LEARN MORE link

And your I don't really care about my privacy attitude is Linkedin "hacking" your account?

How is it fair to imply Linkedin has all the due care burden regarding your privacy, and YOU HAVE NONE?

If you don't care about your privacy you are eventually going to get burned

They could have posted a privacy policy stating We can share all your details, including personal identifying information, browsing history, click history, ALL EMAIL MESSAGES IN YOUR MAILBOX, Sent Mail, Mail folders, etc, with anyone and everyone; at our sole discretion, and you would have never noticed.

I think they are using the mobile apps

[Quick Reply]

I am in a similar situation where I have a couple of Google Apps accounts that I ONLY use for work-related purposes. NOTHING ELSE. Never authorise anything to use them keep it all on my personal. Sure enough LinkedIn has slurped some contacts from sent items. I use different passwords for everything. I hardly have even used LinkedIn, much less with a work related email account open (I hardly open them). The ONLY way they could have stole it (That is the only thing running at the same time) would be a mobile app either from my Android or iOS device. I have these work accounts set up permanently on these devices and foolishly it seems loaded the LinkedIn app.

Funny enough ALL these email accounts have been getting spam lately from "Dr OZ" to their actual address, which is strange when I use disposable email addresses for EVERYTHING, including client contact. The only thing I use the actual address for is to log in and set up the mail client. These email addresses must have been slurped from a mobile app, not sure if it was LinkedIn or another app.

Comment removed

[account_deleted]

Comment removed based on user account deletion