Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

LinkedIn Accused of Hacking Customers' E-Mails To Slurp Up Contacts

timothy posted about a year ago | from the unending-spam-source dept.

Social Networks 210

cold fjord writes with this Business Week report: "LinkedIn Corp. ... was sued by customers who claim the company appropriated their identities for marketing purposes by hacking into their external e-mail accounts and downloading contacts' addresses. The customers, who aim to lead a group suit against LinkedIn, asked a federal judge in San Jose, California, to bar the company from repeating the alleged violations and to force it to return any revenue stemming from its use of their identities to promote the site ... 'LinkedIn's own website contains hundreds of complaints regarding this practice,' they said in the complaint filed Sept. 17. ... LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open ... 'LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn's servers,' they said. 'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'" "This puts an interesting twist on LinkedIn's recent call for transparency," adds cold fjord. (More at Bloomberg.)

Sorry! There are no comments related to the filter you selected.

Happy Saturday from The Golden Girls! (-1, Troll)

Anonymous Coward | about a year ago | (#44911197)

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

Re:Happy Saturday from The Golden Girls! (-1)

Anonymous Coward | about a year ago | (#44911211)

Duhh, duh-duh-duh, duhhh, duh-DUHHHHH.....meow.

Re:Happy Saturday from The Golden Girls! (-1)

Anonymous Coward | about a year ago | (#44911425)

It's condiment, not cosmonaut. Get it right, dweed.

What the hell is "left open"? (0)

Mitreya (579078) | about a year ago | (#44911217)

LinkedIn required the members to provide an external e-mail address as their username on its site, then used the information to access their external e-mail accounts when they were left open, according to the complaint.

Password = 'password'?

Maybe they were accessing a cookie? (1)

Marrow (195242) | about a year ago | (#44911239)

Maybe they used a cookie for an email session that was already opened by the browser?

Re:Maybe they were accessing a cookie? (4, Interesting)

hairyfeet (841228) | about a year ago | (#44911575)

That was what I was thinking. They probably used something similar to the "Yahoo Porn Bug" that I wrote about in my journal in which some porn sites were using a hidden iFrame to get into yahoo using auto-complete and between that and using an open session cookie that would cover a pretty good chunk of the users.

I'm just glad I gave them my spamdump email and quit using it after a month or so, that place seemed awful spammy to me and if you can't keep your site going without spamming folks? Then frankly you probably aren't worth messing with in the first place.

Re:Maybe they were accessing a cookie? (1)

mysidia (191772) | about a year ago | (#44911859)

Maybe they used a cookie for an email session that was already opened by the browser?

If that is so, than the web-based e-mail provider have a very serious XSS+CSRF (Cross-site Request Forgery) issue.

If Linkedin can do it, then so can any malicious website you happen to click on in Outlook.

Re:What the hell is "left open"? (1)

lennier1 (264730) | about a year ago | (#44911241)

They probably exploited that many of their customers used the same password for their site and the email account. After that it's just a matter of scraping web interfaces (Google, Yahoo, Exchange, ...) for the contact data.

Re:What the hell is "left open"? (5, Informative)

Alain Williams (2972) | about a year ago | (#44911279)

They probably exploited that many of their customers used the same password for their site and the email account.

Which makes the linked-in customers idiots. However: if this is what linked-in have done then they should be prosecuted to the fullest extent of the law, in the UK that would be under the computer misuse act [wikipedia.org] , those responsible should be extradited from the USA if necessary. I am not talking about some minion in a technical department but the director who was responsible.

Re:What the hell is "left open"? (2, Insightful)

Anonymous Coward | about a year ago | (#44911361)

Wouldn't that also imply clear-text password storage at the LinkedIn end? In itself quite a bad revelation if that is the case.

Re:What the hell is "left open"? (-1)

Astronomerguy (1541977) | about a year ago | (#44911763)

I posted the above comment. Thought I was logged in :-/

Re:What the hell is "left open"? (2, Interesting)

Astronomerguy (1541977) | about a year ago | (#44911779)

Bah! Rushing through things. My AC post was the one where I declined to give them access to my contacts list and they disregarded my selection and spammed everyone whom I ever corresponded with.

Re:What the hell is "left open"? (2, Funny)

Anonymous Coward | about a year ago | (#44911869)

Help help, I am the real Astronomerguy. The person above hacked my LinkedIn account. Please contact Cyberpolice.

Re:What the hell is "left open"? (1, Troll)

Joining Yet Again (2992179) | about a year ago | (#44911381)

Which makes the linked-in customers idiots

That goes without saying. Never seen a "community" of more self-congratulatory blowhards.

I guess if you can't get a job on merit, you drink with people who can get one for you - and this is the online equivalent for the even lazier.

Re:What the hell is "left open"? (4, Insightful)

mapkinase (958129) | about a year ago | (#44911535)

I already forgot what I did on Linkedin when I joined it several years ago, but didn't we all gave them our contact lists voluntarily so they will check if our acquaintances have it? May be I am confusing this with Google+

Re:What the hell is "left open"? (1)

Gr8Apes (679165) | about a year ago | (#44911735)

They asked, they didn't get it. Nor a real email either. So no contact list to get, and since it's my spam account.... well, knock yourself out emailing all those spammers. :)

Re:What the hell is "left open"? (0)

Anonymous Coward | about a year ago | (#44911691)

"[LinkedIn] should be prosecuted to the fullest extent of the law, in the UK that would be under the computer misuse act"

That link next to the "I Agree" checkbox ? You need to go ahead and read that, yes sir.

It's physically impossible for LinkedIn to access your contact list without you yourself signing up for their service, accepting their TOS, and supplying them the password for your account. My contact list for example, has not been spammed by LinkedIn.

I would clearly call this type of action "unsolicited commercial mass email" which is illegal in some jurisdictions; I clearly did not request it and a contact of mine cannot give an informed consent on my behalf.

Re:What the hell is "left open"? (1)

The Archon V2.0 (782634) | about a year ago | (#44911867)

> Which makes the linked-in customers idiots.

They're not customers anymore than cattle are customers for the slaughterhouse. Their main customers are recruiters.

Re:What the hell is "left open"? (0)

Anonymous Coward | about a year ago | (#44911745)

My passwords were different and despite my declining top let them access my contacts list, the hypocritical motherfuckers spammed everyone who I ever corresponded with.

Re:What the hell is "left open"? (1)

AmiMoJo (196126) | about a year ago | (#44911245)

They tried using people's linkedin passwords for their email accounts, and since many people reuse passwords they got in.

Re:What the hell is "left open"? (1)

Shavano (2541114) | about a year ago | (#44911273)

If this can be proved, it's a violation of CFAA -- unless you gave them permission to get contacts from your accounts. Does anybody read that mess of legalese in the terms of service you agree to when you join/connect to LinkedIn?

Re:What the hell is "left open"? (2)

whoever57 (658626) | about a year ago | (#44911887)

They tried using people's linkedin passwords for their email accounts,

Which would require clear text storage of LinkedIn passwords. In 2012 when there was a compromise, LinkedIn claimed that they stored an unsalted hash.

Re:What the hell is "left open"? (1)

Anonymous Coward | about a year ago | (#44911417)

Password = 'password'?

Hey! That's the same password I use for my gmail account!

Re:What the hell is "left open"? (1)

znrt (2424692) | about a year ago | (#44911629)

Password = 'password'?

"then used the information to access their external e-mail accounts when they were left open ... "

TFA:

‘Your Permission’
The actions were taken even though LinkedIn assures its users when they log in, “We will not e-mail anyone without your permission,” the plaintiffs said.

i always had the impression that those profiles i randomly go to see on linkedin had to correspond to braindead suckers. linkedin just gave confirmation.

--
brave weird world, today

Re:What the hell is "left open"? (0)

Anonymous Coward | about a year ago | (#44911639)

I don't think I understand, how do they log in to my mail server and retrieve contacts? The addresses of people that have emailed me yet I haven't pulled off the server yet? There's no contacts stored on the server itself and I don't imagine many people use the same password for both linkedin and their email.

Re:What the hell is "left open"? (0)

Anonymous Coward | about a year ago | (#44911669)

I think it was also 'linkedin password = email password'
that probably covers a huge chunk of users too

Re:What the hell is "left open"? (3, Interesting)

Zemran (3101) | about a year ago | (#44911787)

Not quite true. When I opened a Facebook account several years ago, I registered using my Yahoo account. I know how often I have changed my password and there are some specific times when I have changed all my passwords when I have had a virus or a rabid g/f using my computer. Facebook manages to recommend people that have been added to my Yahoo contacts since the password has been changed and they have no legitimate way of knowing who I add. I only use Yahoo for work contacts and use Gmail for my friends but none of my new Gmail contacts get recommended to me. The contacts on Yahoo are not contacts of my friends who are contacts on Gmail. I am absolutely certain that Facebook has access to my Yahoo contacts in the way that these guys are certain that LinkdIn is doing to them. I assume that Yahoo etc. allow this to happen and now I always use throw away address.

Doesn't make sense (0)

arth1 (260657) | about a year ago | (#44911247)

This does not make sense.
The e-mail address a customer gives LinkedIn contains no information about what server the account is on or what protocol it can be accessed with.
And it certainly doesn't contain the password, unless you use the same password on multiple sites.

It is possible, I guess, that a script could scan the registered addresses for domains where the server and access method is known, and try to access it with the LinkedIn password. But even then, it would be difficult, to say the least, to get an address book out of that, given that most e-mail servers don't store any address book. It would have to be web interfaces. Of which there are hundreds, all doing it differently.

Willem of Ockham tells me that the simplest explanation might be ignorant users combined with greedy lawyers.

Re:Doesn't make sense (0)

Anonymous Coward | about a year ago | (#44911269)

The e-mail address a customer gives LinkedIn contains no information about what server the account is on or what protocol it can be accessed with.

Uh, what? Nine times out of ten, it'll be mail.whatever.is.after.your.at.sign. Protocol? There are only a handful of protocols available, and it's pretty damned easy to figure out which ones are available.

And it certainly doesn't contain the password, unless you use the same password on multiple sites.

Which is a likely thing. But still makes little sense.

The likely thing happening? Nothing nefarious other than collation of publicly available data.

The unlikely thing happening? Pulling a list of contacts via exploitation of shitty webmail apps.

Re:Doesn't make sense (0)

Anonymous Coward | about a year ago | (#44911341)

well, it wouldnt make sense for the millions of internetizens desensitized by porn...

seriously though, this reeks of the bog-standard joogle-data-grab.
what about AMDOCS? what are they hiding behind that nice facade?

Re: Doesn't make sense (0)

Anonymous Coward | about a year ago | (#44911351)

my money would be on the mobile app
I looked at it and the permissions and refuse to bo near it again.
wants to k iw and access everything

Re:Doesn't make sense (1)

Internal Modem (1281796) | about a year ago | (#44911379)

The part after "@" gives them all the info they need (e.g. @gmail.com @yahoo.com).

Re:Doesn't make sense (1)

Skapare (16644) | about a year ago | (#44911419)

This gives them enough to access the email where the browser itself is logged in to.

Re:Doesn't make sense (1)

Zero__Kelvin (151819) | about a year ago | (#44911457)

How do you figure that?

Re:Doesn't make sense (4, Informative)

Skapare (16644) | about a year ago | (#44911571)

Their client side code is running in the same web browser than the user logged in to that user's web based email with. It's a browser security issue. Once they know the domain in your email address, they know how to watch you for when you login to your email web site. They don't need the password since it is already logged in. They can't get the password used, but they can get the email contact list, and the contents of the email you are currently reading.

Re:Doesn't make sense (3, Informative)

Zero__Kelvin (151819) | about a year ago | (#44911683)

I don't use web based email. That being said they can;t do what you are claiming they can [wikipedia.org] on any modern browser as far as I know. Do you know of a modern browser that doesn't enforce a same-origin policy?.

Re:Doesn't make sense (0)

Anonymous Coward | about a year ago | (#44911705)

So you believe they are exploiting an unpatched XSS vulnerability? Are there any such vulnerabilities that you know of currently in the wild?

Re:Doesn't make sense (1)

Zemran (3101) | about a year ago | (#44911873)

I think that the various companies collude.

Re:Doesn't make sense (3, Insightful)

Anonymous Coward | about a year ago | (#44911565)

Working in the Corporate world, I've seen this happen to people before. They sign up on LinkedIn, suddenly everyone on their contacts list starts getting "invites".
All the examples I've personally seen were people who accessed LinkedIn on a smartphone. One co-worker suddenly started spamming invites to a couple distribution lists at the company.... he had just logged in using his work-supplied phone and it scraped his contact list. And since he's always 'logged in' with the work email, it started scraping the entire company directory.
We awarded them with a permanent spot on our spam Blacklist, and blackholed their IP space.

This happened to me (4, Informative)

Duncan J Murray (1678632) | about a year ago | (#44911257)

It was embarrassing and prompted me to close the account. Clearly a violation of privacy. I think at the time I used the same password as for my email account.

Re:This happened to me (1)

Anonymous Coward | about a year ago | (#44911399)

It apparently happens to a whole bunch of people. At least two people that I hardly know (through my daughter being in the same high school orchestra as their kids and with whom I had exchanged perhaps two email notes in the past) had this happen causing me to get what appeared to be LinkedIn invites coming from these people. Obviously these people would never have invited me willingly. It was LinkedIn scanning their email and finding email addresses to "invite".

Re:This happened to me (4, Funny)

Zero__Kelvin (151819) | about a year ago | (#44911465)

What is it? I want to make sure I don't use the same one.

Re:This happened to me (3, Informative)

Skapare (16644) | about a year ago | (#44911599)

Do not use the same browser for LinkedIn as for any web based email. Note that separate windows doesn't count as separate browsers. Unless you know how to start browsers in a truly separate way, you're better off using separate userids in your computer for each web site that might do this (lots of them).

Re:This happened to me (1)

Zero__Kelvin (151819) | about a year ago | (#44911635)

WHOOOSH

Re:This happened to me (1)

mysidia (191772) | about a year ago | (#44911877)

Do not use the same browser for LinkedIn as for any web based email. Note that separate windows doesn't count as separate browsers.

How about "New Incognito Window" (Chrome) / "Start InPrivate browsing" ?

Re:This happened to me (1, Funny)

Andrewkov (140579) | about a year ago | (#44911553)

Yeah, I'd be embarrassed to have a LinkedIn account too.

Old News (0)

Anonymous Coward | about a year ago | (#44911283)

This is old news. It's real simple. Don't give LinkedIn your email passwords. Problem solved.

Re:Old News (2)

Goaway (82658) | about a year ago | (#44911323)

'LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users' consent.'

Re:Old News (2)

Virtucon (127420) | about a year ago | (#44911451)

Uh, better yet, Don't use LinkedIn it's a dumping ground for people who pad their Resumes (CVs).

Re:Old News (1)

Skapare (16644) | about a year ago | (#44911475)

... AND do not login to your email using the same browser you login to LinkedIn with. Unfortunately, most people use the same browser. Sue the browser maker and get the money back that you paid for the insecure browser.

Re:Old News (2)

whoever57 (658626) | about a year ago | (#44911855)

AND do not login to your email using the same browser you login to LinkedIn with.

I do use the same browser to log into gmail as I use for LinkedIn, yet, LinkedIn has never mined my gmail contacts. LinkedIn keeps nagging me to give it my gmail password so that it can mine my gmail contacts and I nearly did this once because of the less than clear information on the page. So, for the people who are complaining, either:
1. LinkedIn tried using their LinkedIn password against theim email login, or:
2. they misread the LinkedIn page and explicitly gave LinkedIn permission to mine their contacts.

note that option 1 implies that LinkedIn stores clear text passwords, contrary to claims made by LinkedIn in 2012 when some users' passwords were stolen.

Google Buzz (0)

Anonymous Coward | about a year ago | (#44911287)

Sounds similar to what happened with Google Buzz. What ever came of those lawsuits? Pretty much nothing, other than some lawyers walked away with a bit of money and Google had to agree to some toothless privacy audits.

Someone didn't read the screen, methinks. (5, Informative)

stereoroid (234317) | about a year ago | (#44911289)

I know LinkedIn offers to read your existing email accounts for contacts, so that you can connect to them, but you can just ignore that. It isn't mandatory, but if you don't read what it says on screen, you might think it is. So I'm more inclined to suspect that's what happened: the complainant entered his email address and password when prompted, and now thinks he's been hacked.

Re:Someone didn't read the screen, methinks. (5, Insightful)

Greg01851 (720452) | about a year ago | (#44911301)

Exactly my thoughts. You can have LinkedIn import your email contacts for 'contact suggestions' https://www.linkedin.com/fetch/importAndInviteEntry?trk=nav_responsive_sub_nav_add_connections [linkedin.com] These people probably did this and forgot that they did so.

Re:Someone didn't read the screen, methinks. (2)

mapkinase (958129) | about a year ago | (#44911561)

> These people probably did this and forgot that they did so.

Actually that's about the only thing I remember now.

Since we are talking about LinkedIn, what do you guys do with the flurry of all those "endorsement" that started several months ago? I suspect those are just from people randomly pressing buttons on their screens, because I got those from people who have no idea what I am doing right now.

I feel uneasy not reciprocating to those but so far I am standing my ground. May be I am the black sheep of my network because of that....

Re:Someone didn't read the screen, methinks. (2)

nabsltd (1313397) | about a year ago | (#44911613)

Since we are talking about LinkedIn, what do you guys do with the flurry of all those "endorsement" that started several months ago? I suspect those are just from people randomly pressing buttons on their screens, because I got those from people who have no idea what I am doing right now.

I feel uneasy not reciprocating to those but so far I am standing my ground. May be I am the black sheep of my network because of that....

Like anything else concerned with my work history/resume, I treat it with honesty.

If I personally know somebody is really good at something, I'll endorse them. Otherwise, it doesn't matter how good a friend they are, I won't. To be honest, I'd like there to be a "negative endorsement" system, too. Since only direct links would be allowed to do this, it would make people only link to people they really have a connection to, and would keep people more honest about their skills.

Re:Someone didn't read the screen, methinks. (0)

Anonymous Coward | about a year ago | (#44911651)

I just endorse everyone for everything.
I mean seriously. It's a BS facebook clone. Anyone who takes the crap on there seriously deserves what they get.
The only reason I even have one is because they asked me to make one for work.
It uses my work email, so I don't care.

Re:Someone didn't read the screen, methinks. (4, Insightful)

Stan92057 (737634) | about a year ago | (#44911371)

Think about that for a second

" LinkedIn offers to read your existing email accounts for contacts, so that you can connect to them"

LinkedIn users an too stupid to email and connect to Their friends on Their own?? This isn't a service, its email address spidering scam

Re:Someone didn't read the screen, methinks. (1)

Skapare (16644) | about a year ago | (#44911447)

However, if LinkedIn can figure out where you login to to read your email, which is not hard to do, AND if you are logged in to your email when they try to login as you with the same browser, then THEY can get it because it is your browser that is logging in. Wanna see how that works? Login to your email, then press Ctrl+N and make a new browser, and login to your email from the new browser. Hint: it's just a window on the same browser.

They don't need your password.

Re:Someone didn't read the screen, methinks. (2)

radish (98371) | about a year ago | (#44911515)

Cookies are bound to domains, and JS isn't allowed to cross domains (same origin policy). So yes, you can open a new tab or window and get into your mail without a login, but no, another site in another tab can't just suck down that data. Well, unless they're using an XSS exploit or something, but that would be what they're being accused of :)

Re:Someone didn't read the screen, methinks. (1)

Skapare (16644) | about a year ago | (#44911689)

If only this level of security were true in all browsers and versions. Maybe some day it will be.

Re:Someone didn't read the screen, methinks. (1)

Zemran (3101) | about a year ago | (#44911897)

No, they do not even need to know your password. They have your email address as you have to give them one to open the account. With that they will access your contacts even with your password. You can change your password to try and stop them but they will still contact new people that you add to your contacts. I believe that there is collusion going on with Yahoo/Gmail/Hotmail etc.

Original posting? (1)

Coditor (2849497) | about a year ago | (#44911293)

The included post url no longer has any details, does anything know of a copy?

Fuck class action (1)

wbr1 (2538558) | about a year ago | (#44911303)

If they accessed email accounts without consent, then it is criminal action, and should be treated accordingly. The managers who signed off on such behaviors and any techs who performed them or created tools to, should be charged and tried with whatever hacking statutes apply. Then the company should be made to pay the victims.

If we are going to be a 'nation of laws' then we need stop being hypocritical in their application. But of course, the law is typically made to bully the small guy to the betterment of the big guy.

Re:Fuck class action (2, Informative)

Stan92057 (737634) | about a year ago | (#44911443)

When we were student and all student say every morning

I pleadge allegiance to the flag of the united states of America and to the republic which it stands one nation under god indivisible with liberty and justice for ALL.

Is an national embarrassment and a flat out lie. Its Liberty and Justice for all who can afford it.

Re:Fuck class action (0)

Anonymous Coward | about a year ago | (#44911489)

where is the watchdog with a byte greaterthanorequalto its bark?

criminal action involves cooperation with the police. the police who have often been bribed or "sweetened" by these IT crims giving them access to raw metadata without consent/warrants

Re:Fuck class action (1)

mysidia (191772) | about a year ago | (#44911885)

It is not hacking if you granted them permission [google.com] to do it.

Meh (0)

Anonymous Coward | about a year ago | (#44911305)

It's a BS lawsuit on technical merits - they weren't hacking, they just have registration flow where they ask to import your addressbook and then if you just click "next" then by default they invite everyone to your circle of contacts. Yes, spammy.. but you should read what you are clicking.

And they mention an ex-employee writing "hack" on their profile/resume as proof? Seriously..

Re:Meh (1)

Joining Yet Again (2992179) | about a year ago | (#44911403)

Click-through contracts are bullshit, just like read-through contracts where by reading to the end of this sentence you agree to give me $10,000.

Re:Meh (0)

Anonymous Coward | about a year ago | (#44911883)

It's not even a contact - it basically gives you a screen with "invite all these people?" with everyone from your addressbook checked and a "continue" button. If you don't click "unselect all" before clicking continue then you invite everyone.. just like it said it would.

Obligatory xkcd (0)

Anonymous Coward | about a year ago | (#44911307)

Password Reuse [xkcd.com] , September 13, 2010

LinkedIn.btz (1)

cookYourDog (3030961) | about a year ago | (#44911309)

Several viruses are notorious for this same practice. Address book harvesting is malicious, no matter the party doing it. Worse, LinkedIn cannot even keep your passwords safe.
http://www.wired.com/geekmom/2012/06/linkedin-data-breach/ [wired.com]
They didn't even use a salt with their hashes.

Time for serious repercussions (0)

Anonymous Coward | about a year ago | (#44911317)

I believe, in light of just how many corporations are actually, willfully dishonest and do the things they are accused, going forward, should corporations be found guilty, they should be legally dissolved and what's left over dumped into an escrow fund used to locate and dissolve other dishonest corporations. It's time people paid for their malfeisance. It's disgusting that corporations get away with what individuals cannot. Since corporations are now considered "people", shouldn't they be treated accordingly -- or are we too in love with capitalism to not crater the offenders...

Re: Time for serious repercussions (0)

Anonymous Coward | about a year ago | (#44911385)

At the very least, I call on all slash heads to cancel their accounts with this privacy violator, and for them to ask that their nontechnical associates to do the same. As a publicly traded company, let's stick it to them where it hurts: their user count.

Data Mining or Cyber-Yenta? (3, Funny)

retroworks (652802) | about a year ago | (#44911339)

I certainly noticed LinkedIn had access to my email sent-lists, but after logging into it a thousand times it's hard to know for sure I didn't check, or fail to check, a box that comes up asking my permission to do so. It just takes one time. Maybe this case will succeed, I'm afraid I've succumbed to thinking we have no more privacy or right to cover our tracks than we did walking past gossipy women in medieval villages. LinkedIn, Google, and Facebook have become the modern day cyber-Yentas, sometimes aggravatingly meddlesome, sometimes making a lifelong connection.

Submitted by Anonymous Coward on Saturday September 21, 2013 @09:55AM. Oh shoot...

99% sure I can explain what happened here (5, Interesting)

JoyW (746243) | about a year ago | (#44911347)

This is a case of confusing UI defaults, I think, but given that *I* also got caught by it (and was mortified), even though LinkedIn isn't "hacking" anybody, I don't have a lot of sympathy for them (LinkedIn--have enormous sympathy with the users, even though I suspect their case won't stand up in court).

Here's what I think happened to me (as best I can remember...I'm not about to try to reproduce it): Yeah, sure, look for my contacts (provide Gmail username/password...all assurances are given they won't email anyone without your permission blah blah). LinkedIn shows you a list of a few dozen (IIRC) contacts in a frame (possibly those you most recently exchanged email with?); I deselected all of those and then carefully went through and selected a very small subset I actually wanted to "connect to." Once I've done that, I hit submit (or whatever) and get some confirmation, "We're going to send the invite, okay?" Yeah, sure...it's only sending to a few people, right? SOMEWHERE on that confirmation (again, IIRC) is a checkbox that alludes to the fact that, oh? All the contacts you DIDN'T unselect--IN YOUR ENTIRE CONTACTS LIST--are gonna get an email. Got to the next screen and it said something like "200 emails sent" and the expletives flew. (I can see missing that message...it was small.) Of course I was doing this process while I was watching TV or something--it didn't have my full attention--but the behavior was SO counter to my expectations of opting-in I was floored.

I can see why users would think LinkedIn "stole their contacts when their email was left open"--they're thinking that subset-selecting frame is the only time LinkedIn is (transparently) accessing their account (and therefore shouldn't do anything with contacts that don't appear in that frame, which makes sense in terms of user expectation).

Re:99% sure I can explain what happened here (0)

Anonymous Coward | about a year ago | (#44911499)

I think they are complaining about email session hijacking.

Re:99% sure I can explain what happened here (0)

Anonymous Coward | about a year ago | (#44911615)

I think they are complaining about email session hijacking.

They do it all, any angle they can think of to trick, scrape, or otherwise harvest addresses. And when those people you "invited" don't show up and sign up, guess what happens? They create a bot account with the information and use it as a source for more. This way they inflate the number of 'active user accounts' and appear more popular than they really are.

Re:99% sure I can explain what happened here (0)

Anonymous Coward | about a year ago | (#44911731)

The same thing happened to me, adding contacts such as: The boss that fired me, my ex girlfriend etc etc. Maybe there was some fine print somewhere, but at they very least it is intentionally misleading.

LinkedIn is a joke (4, Funny)

paiute (550198) | about a year ago | (#44911389)

When random people I know only slightly and who don't know my skill set are allowed to "endorse" me for knowledge and training they don't know that I have, it makes the whole of LinkedIn worthless to me except as a source of phone numbers. And often those are not even available. It has become Facebook with a clip-on tie.

Re:LinkedIn is a joke (-1)

Anonymous Coward | about a year ago | (#44911505)

Ooooh, do you have a 'skill set'? How very trendy of you.

Re:LinkedIn is a joke (0)

Anonymous Coward | about a year ago | (#44911521)

Yep, and the whole thing is just as fraudulent and scummy and you'd expect. I was getting emails from a former contact that joined (who would have required a rather poor endorsement from me if I was being accurate about him), and I was sick of getting them every week. I looked for an unsubscribe link, but the only way to do so was to sign up. Since that isn't required for the CAN-SPAM act I sent linkedin an email specifying that I would take action under said act unless they added my address to their blacklist and I received exactly one email after that apologizing the for the inconvenience and never received another email from them on that email address.

Re:LinkedIn is a joke (1)

Zero__Kelvin (151819) | about a year ago | (#44911549)

How is that possible. I have a LinkedIn account I never really use, but I thought you had to accept someones invite before they could recommend you, etc. Is that not the case?

Re:LinkedIn is a joke (1)

nabsltd (1313397) | about a year ago | (#44911645)

How is that possible. I have a LinkedIn account I never really use, but I thought you had to accept someones invite before they could recommend you, etc. Is that not the case?

Yes, that is the case...a direct link to someone is required to endorse them.

Unlike Facebook, unless you really know these people directly, you shouldn't be linked to them. The whole point of LinkedIn (and what got me my current job) is that you use the people you do know to connect to someone you don't so that you can then develop a real relationship with them to help you in your business (either by getting you a job or by finding someone you can hire). It's just like having your friend introduce you to someone at a party.

Re:LinkedIn is a joke (0)

Anonymous Coward | about a year ago | (#44911667)

It's true. I too got emails from them. One from a client that I worked with and another from someone in another state that I met while doing temp work. At least the former talked to me often, the latter only knew me for less than a month. I thought they were scraping the barrel trying to find contacts reaching out to me then I kept getting the mails to "join now" so I knew that it was an automated system doing it. They stopped after around 6 emails. Everyone who knows me is aware that I don't use Facebook, Twitter, or LinkedIn and any other social media site. Same situation, I tried to find a way to remove my email from the list, all it offers is for you to join so I ignored them after that and reminded myself WHY I'm not using social media.

Account just deleted. (0)

Anonymous Coward | about a year ago | (#44911397)

Good riddance.

Filter them to trash (1)

GWXerog (3151863) | about a year ago | (#44911461)

After a few months of receiving automated emals from Linked-in of behalf of people I had worked with, I finally created a filer to send them to trash. Most of the people I talked to could not remember giving consent to Linked-in to use their contact lists. Hopefully major email providers will just start sending the emails to spam by default

Re:Filter them to trash (1)

Luthair (847766) | about a year ago | (#44911723)

You should flag them as what they are: spam. If this is done regularly the filters might pick up on it, along with blacklists.

I simply don't do any email from the browser ... (1)

Skapare (16644) | about a year ago | (#44911503)

... I use to login to LinkedIn. That way THEIR web client code can't get into my web based email (more than one site) using holes in the browser. For each site I have configured, there is a separate virtual HOME directory the browser is using, so things like cookies and browser processes are fully separated. I can log in to LinkedIn with one process and log in to Gmail with another process and there's no information going between. I can even login to 2 or more different Gmail accounts at the same time using this kind of separation (normally one would have to use separate userids or separate machines).

Re:I simply don't do any email from the browser .. (1)

Quinn_Inuit (760445) | about a year ago | (#44911551)

I'm curious, would 2-factor authentication (a la Gmail) prevent them from accessing your account, or is this a XSS or browser session hijacking problem?

Re:I simply don't do any email from the browser .. (1)

Skapare (16644) | about a year ago | (#44911711)

A truly fully secure browser would prevent them from even knowing if you use email at all, and certainly not let them get to your email.

Dead mom (0)

Anonymous Coward | about a year ago | (#44911517)

Yeah, something similar happened to me. Fortunately, email did not go out to my contacts, but somehow, LinkedIn got access to my contacts in my Google account. It could be that I offered them access, but that is not something I would ever knowingly do.

The sad thing is that LinkedIn still occasionally prompts me to connect with my mom's email account. Sadly, she has been dead 4 years. I miss her every day. It is like a little kick in the gut.

My 72 year old mom had almost no visibility on the net. We don't share the same last name, I have not lived with her for 30+ years. I've seen other names come up in LinkedIn that could only be via my Google contacts.

LinkedIn provides a slightly useful product, but they have gone too far.

Re:Dead mom (0)

Anonymous Coward | about a year ago | (#44911603)

The proper thing at this point given Linkedin's misbehaviors over the years is to stop using it.

But people generally won't, because people are generally sheep who just follow the rest of the herd.

Re:Dead mom (4, Interesting)

nabsltd (1313397) | about a year ago | (#44911697)

I've seen other names come up in LinkedIn that could only be via my Google contacts.

Or, LinkedIn could just have an insanely good algorithm. I was recently presented with a "someone you might know" when I logged in to LinkedIn, and I did know them, but I have no clue how LinkedIn figured it out.

They had just joined LinkedIn in the past week. They used a different e-mail address (different provider/domain) from the one I contact them with and the e-mail address they contact me with isn't the one that LinkedIn has for me. I don't use any webmail (host my own e-mail and access via imap) and so LinkedIn can't get any contacts from me, even if they did "hack my e-mail" (which is unlikely as my e-mail username isn't the e-mail address they have for me and the password for my actual account isn't the same as my LinkedIn login). All of their links at the time were people from their new work (I don't work with them...they are just a friend).

So, basically, LinkedIn had no direct way to connect us, yet it did.

Definitely (0)

Anonymous Coward | about a year ago | (#44911583)

I have noticed people in the "You May Know" list that I corresponded with ONCE, ONLY in email, and on another account - and, I have *never* given them any passwords, and my password for LinkedIn is unique. They are DEFINITELY reading email servers from somewhere.. it was irritating to notice that.. I dont like it..

Something Odd (4, Interesting)

smillie (30605) | about a year ago | (#44911621)

Linkedin suggests numerous names of people I know but have never exchanged emails with. It even suggested the name of my kid's girlfriend and kid's last name doesn't match mine and we have no common links on linkedin. I've limited my links to old co-workers from AT no family, no friends. There is no possible way they could have accessed my email because it requries an ssh login to a firewall server with a different userid and password, then an ssh connection to the mail server with yet another password. Those passwords are also different than my linkedin password. I'm not on any social media sites except linkedin and slashdot. Neither my slashdot name nor password matchs linkedin name or password. There has to be some data mining going on but it's not through email and not through any other social media. I have noticed that others from the companies I've worked for shown up in the suggestions including people I've never met. I'm not sure why they keep suggesting Texas people who worked for AT&T when I've only been in Michigan. It looks like they could have gotten my email contact list but I know they couldn't have. So I'm thinking that others seeing their email contacts show up might just be mistaken on how linkedin got the names.

Re:Something Odd (0)

Anonymous Coward | about a year ago | (#44911847)

THIS - very similar situation but I have for some time now suspected them of hacking into unsuspecting user's email accounts. How else would they know doctors, lawyers, and business associates I've worked with despite all my email safe guards?

Re:Something Odd (1)

chihowa (366380) | about a year ago | (#44911899)

The answer is likely "the other people". You know how Facebook knows everything about you despite not having an account? Other people search for you (establishing that they know you), tag you in pictures (establishing what you look like), helpfully give up your phone number and, so on...

These doctors, lawyers, and business associates have likely searched for you on LinkedIn and that's how they know. (Or they volunteered their address book and you're listed in it.) Good security practices and social networking don't go hand in hand.

They scrape gmail (1)

Anonymous Coward | about a year ago | (#44911633)

I know they do this. I have different passwords and have never given them permission to access my email to check for contacts. I know it's gmail because I use gmail as a secondary address and lo and behold I was asked if I wanted to connect to assholes who have stiffed me for rent money and I have never worked with. Assholes who I have had no contact with in 5 years. More likely Google sells them the info or maybe google owns a piece of them.

I personally know Linkdedin does this. (0)

Anonymous Coward | about a year ago | (#44911893)

I once sent an email to a Service Manager at a local repair shop. She had recently been through a traumatic experience and I wanted to send her my sympathies. We exchanged an email or two and never communicated again.

A year later I received a blatant robo mail from her account with "her" requesting me to be added to her professional network. I then began to receive spam from them which helpfully let me remove my email BY LOGGING IN AND SAYING NO.. Right. So, I'm going to sign up for their service to tell them NOT to bug me?

Took about two weeks for them to de-list me.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?