LinkedIn Customers Allege Company Hacked E-Mail Addresses

Here&#x27;s how they do it. Various times Linkedin provides me with a form to &quot;import&quot; my contacts from my gmail account.<p>This dialog looks very similar to the login form to the site. If you use the same password for both sites (I don&#x27;t), you might be thinking that you&#x27;re logging in, when in fact you&#x27;re bringing in everyone in your address book. Not sure, if they then automatically spam everyone on your list or not.<p>Linkedin clearly has crossed over to the dark side since they went public. They keep reducing their free services and pushing harder and harder to try to get you to sign up for &quot;premium&quot; accounts. It&#x27;s time for an alternative.

“LinkedIn pretends to be that user and downloads the e-mail addresses contained anywhere in that account to LinkedIn’s servers,” they said. “LinkedIn is able to download these addresses without requesting the password for the external e-mail accounts or obtaining users’ consent.”<p>I am so hoping the case goes to trial so we can see the evidence of this presented.

I&#x27;m not sure how LinkedIn does it but their &quot;recommendations&quot; are very spooky.<p>I get some really odd ones like the property manager we pay rent to. I&#x27;ve only ever emailed or called him.<p>I presume he gave LinkedIn access to his email contact list but based on the number of these creepy recommendations a lot of people I email with must do it.<p>Even more spooky are the recommendations to connect with people I don&#x27;t know but have names that match people I do. Anyone know how they do this?

Here&#x27;s my 2 cents... maybe they&#x27;ll settle and walk away with some cash. I too would love to see the evidence of this presented.<p>In today&#x27;s world - individuals&#x27; data is the digital goldmine for any company.<p>LinkedIn is a publicly traded company (LNKD), like any publicly traded company their main goal would be profits, plus assets like customer data, etc.<p>This info can be seen in their financial statements: <a href="http://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&amp;CIK=LNKD" rel="nofollow">http:&#x2F;&#x2F;www.sec.gov&#x2F;cgi-bin&#x2F;browse-edgar?action=getcompany&amp;CI...</a><p>Nowadays it&#x27;s common practice for our digital footprints and identities to be designed&#x2F;built&#x2F;directed so that before we can gain access to a company&#x27;s services, data or content that we would need to read and agree to the terms &amp; conditions and the privacy policies, etc.<p>This info can be seen in LinkedIn&#x27;s:<p>Terms and Conditions <a href="http://www.linkedin.com/legal/user-agreement?trk=hb_ft_userag" rel="nofollow">http:&#x2F;&#x2F;www.linkedin.com&#x2F;legal&#x2F;user-agreement?trk=hb_ft_usera...</a><p>Privacy Policy <a href="http://www.linkedin.com/legal/user-agreement?trk=hb_ft_userag" rel="nofollow">http:&#x2F;&#x2F;www.linkedin.com&#x2F;legal&#x2F;user-agreement?trk=hb_ft_usera...</a><p>Cookie Policy <a href="http://www.linkedin.com/legal/cookie-policy?trk=hb_ft_cookie" rel="nofollow">http:&#x2F;&#x2F;www.linkedin.com&#x2F;legal&#x2F;cookie-policy?trk=hb_ft_cookie</a><p>What, you mean I&#x27;m supposed to read those things? Yes.

Here&#x27;s what may have happened: when you go to LinkedIn, you regularly get shown a box (inline) inviting you to do something, like endorse people&#x27;s skills.<p>One of those boxes invites you to &quot;grow your network&quot;. It&#x27;s not all that explicit as a call-to-action, as in the text may just be a slogan. The main focal point of that box is a login &amp; password form, which looks exactly like the regular login form that users get when they want to do something that requires explicit re-authentication.<p>In other words: it&#x27;s common to have to enter your login&#x2F;password on LinkedIn, this looks a bit like one of those cases, so users will blindly start typing. If they use the same email&#x2F;password combo for their email account as for their LinkedIn account, then they&#x27;ve just given LinkedIn access to that email-account.<p>The box itself is quite deliberately misleading. Unlike the regular invitations to load your addressbook, there are no Google or Yahoo logo&#x27;s, and no explicit descriptions.<p>I don&#x27;t know whether there is a more explicit request for permission at the next step before it starts sucking in conctacts, I don&#x27;t dare entering a valid password.<p>If there is a next step that requires explicit confirmation, than this &quot;trap&quot; (which it quite obviously is) is merely annoying and a bit scummy.<p>If there isn&#x27;t, I think they have a good case, because this is would basically be phishing in reverse.

Some LinkedIn apps ask for pretty extensive permissions: <a href="https://news.ycombinator.com/item?id=6014842" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6014842</a>

LinkedIn provided a pop-up window which, in small print, if you had logged in via Google or Facebook, notified users in legal terms that their e-mail contacts could (potentially, under some circumstances) be accessed.<p>Thus, in legal proceedings, the user was entirely informed of the possibility of this situation arising.<p>For future users, this sets a precedent that users are aware of the terms and conditions (as they have always been), and no further accidental leaks of personal information will occur.

Yet another scummy social media spying site I&#x27;m happy to have never signed up&#x2F;used for anything. The vast majority of jobs I&#x27;ve found were idling in the local hack space IRC room with ~300 developers and engineers who dump openings, joint ventures and paid projects there first before the usual channels.

Would be pretty easy to test. Make an account with an email address pointed at a server you own, tail the logs and wait for the inevitable HELO from LinkedIn with the same credentials. Busted.