back to article LinkedIn sues 100 information scrapers after technical safeguard fail

Microsoft-owned LinkedIn has filed a lawsuit in California against 100 unnamed individuals who circumvented its security technology to harvest data from its network of 400 million people. The lawsuit claims that the individuals used a specially created botnet that has been collecting data from the site since December 2015 and …

Page:

  1. Adrian 4

    I thought the point of Linked In was to broadcast your details to potential employers and customers.

    1. Chris G

      "I thought the point of Linked In was to broadcast your details to potential employers and customers."

      Exactly! but not to Canadian Viagra sellers and spammers from Vietnam who allegedly will do anything for you.

      1. bombastic bob Silver badge
        Devil

        "but not to Canadian Viagra sellers and spammers from Vietnam who allegedly will do anything for you."

        Nor any potential 'investors' from Nigeria or South Africa

        1. AndrueC Silver badge
          Joke

          Nor any potential 'investors' from Nigeria or South Africa

          Gives me an excuse to link to one of the sillier Dilbert cartoons.

          :D

    2. Dead Parrot
      Devil

      Well, that *was* the purpose. Now the purpose is to provide profiling data to the advertising department, and they don't want anyone else getting that - or showing up the inevitable security holes.

    3. Anonymous Coward
      Anonymous Coward

      In other news, I wonder how long LinkedIn will hold up now that MSFT is in the process of acquiring them and has already said they will use profile info to feed their CRM product. The real gold of LinkedIn are the C-Levels and other high demand big shots. Sales people want to find them, recruiters want to find them, job seekers want to network with them. If those people all say, "woah, we didn't enter our info to be thrown into a sales DB for any company MSFT can sell CRM to" and delete their profiles, the whole thing is kind worth less. Not completely worthless, but definitely worth less. If the big shots leave, the recruiters and sales people are soon to follow.

    4. Anonymous Coward
      Anonymous Coward

      Oh dear no, the point of Linkedin is to make money for Linkedin.

      While it may be useful for the kind of person who likes Linkedin I know of nobody who has had anything other than spam and wheedling emails from Linkedin.

      1. Anonymous Coward
        Anonymous Coward

        Well naturally the point of a company is for that company to make money, but their value proposition was handing out access to the big shots to people who wanted to find the big shots... that's what people were paying for. If MSFT turns this into a sales/recruiting spammer, they could overplay their hand and take the entire thing down. The Outlook integration piece only made sense in MSFT land, as they apparently did not recognize that LinkedIn has already created a Chrome extension which does the same thing with Gmail.

  2. Anonymous Coward
    Anonymous Coward

    Thank God..

    .. I keep but the barest amount of data on LinkedIn..

    1. bombastic bob Silver badge

      Re: Thank God..

      "I keep but the barest amount of data on LinkedIn.."

      don't forget to clear your browser history before logging in, and after you leave (especially cookies). A few years ago they started doing the "tracking thing" like Face-barph and Tw[*]tter. So if I need to log in there for some reason, I have a "special browser" that clears ALL history and cookies on exit, every time. Open it up, go to LinkedIn, do 'whatever', close the browser. *ZAP* and no tracking.

      1. Dabooka

        Re: Thank God..

        Good Lord, don't you just do that sort of thing anyway?

        It's why I'm not a huge fan of tabbed browsing, much rather have a few instances of different browsers open, all in private mode. Once I've bought / browsed / downloaded, close it down and reopen again when I need to go elsewhere. It's about the only defence I have here at work to be honest.

  3. JassMan
    Trollface

    If I wanted a job at any company

    I would email/phone them directly. I wouldn't put all my private info on a site and hope that they saw my details amongst 100K others and somehow decided I was the one they wanted. Especially one owned by those well known security specialists, M$hite. Anyone who gets spammed after putting their details where all and sundry can read them deserve all they get. Not that spammers shouldn't be hung, drawn and quartered after having the red hot poker treatment, but that is a different topic.

    1. Anonymous Coward
      Anonymous Coward

      Re: If I wanted a job at any company

      JassMan, our automated CV scanner picked up the keyword "M$hite", and we'd like to offer you a position.

      1. Nolveys

        Re: If I wanted a job at any company

        "You're just the cynical asshole we've been looking for. Welcome aboard!"

    2. Number6

      Re: If I wanted a job at any company

      You'd be surprised how many recruiters do search LinkedIn. If you pay them money then you can get all sorts of access and search features. I get a regular stream of pings from that source, some of them are even interesting, and I have to admit that my current job is due to that source.

      1. Anonymous Coward
        Anonymous Coward

        Re: If I wanted a job at any company

        You'd be surprised how many recruiters do search LinkedIn.

        You'd also be surprised at how many recruiters hang on to old CVs in direct defiance of Data Protection laws that mandate keeping information up to date. The next idiot that calls me with a job offer will get a formal request to erase all my data, with a maximum of 1 week to formally confirm they've done so or they'll be talking to the equivalent of the Information Commissioner in their country.

        I'm not kidding - it's been like 10 years since I sent out my last CV and I still get offers for security positions.

        1. VBF

          Re: If I wanted a job at any company

          I agree with that one. I've got a headline on my LI profile saying in UPPER CASE "NO AGENCIES PLEASE" and the emails continue to trickle in. I now reply with a standard polite request to remove me from their database and a not-so polite threat to invoke the DP act if they don't. Having said that, I do still allow some of the Group updates from LI and I have, over the years made some useful contacts - about 10% of all the actual contacts!

        2. Lotaresco
          FAIL

          Re: If I wanted a job at any company

          "I'm not kidding - it's been like 10 years since I sent out my last CV and I still get offers for security positions.

          I'm a reasonably well known security consultant. I have to fight off customers with a stick, I'm always busy. I don't need recruiters to offer me jobs. Like you, they still manage to dredge up old copies of my CV and I get bizarre job offers.

          There doesn't seem to be any intelligence in the process, they just scan CVs for key words then send a job offer. I've had all sorts of offers from warehouse assistant (presumably from a partial match on data warehousing) through "bouncer" (security) to one that was on target asking me to be the CSO for a startup... at a salary that was about 1/10th of my current salary. That last presumably shows that they don't even benchmark salaries against industry averages.

          Recruiters, all of them destined for the "B" Ark when the star goat comes.

  4. David Schmidt
    Windows

    Various and sundry

    ...connection requests are coming in lately from people I've never heard of before - maybe this is why? And I really should update my profile so I don't keep getting recruited for jobs I held 10 years ago.

    1. Rafael 1

      Re: people I've never heard of before

      That's 90% of the e-mails I got from LinkedIn: "Harold Floobermann wants to connect with you"...

      1. Mark 85

        Re: people I've never heard of before

        So how is Harold doing these days? I haven't heard from him seemingly forever.

        1. Anonymous Coward
          Anonymous Coward

          Re: how is Harold doing these days

          Retired, and apparently spends his days in Linkedin asking random people to connect with him. Sad, lonely geezer.

      2. Anonymous Coward
        Anonymous Coward

        Re: people I've never heard of before

        That's 90% of the e-mails I got from LinkedIn: "Harold Floobermann wants to connect with you"...

        That's the funny thing - I get those also for a fake profile. I know for certain the name doesn't exist, but I "made" this fake work at a well known bank in some sort of VP role (banks have loads of those, so that drowns in the sheer volume). You have no idea how many people not only want to connect, but then also attribute skills to my entirely fictitious person - just goes to show how much you can rely on that and how much brown nosing replaces reality..

        1. allthecoolshortnamesweretaken

          Re: people I've never heard of before

          Can I get a reference from your fake profile for my fake profile? Preferable for outstanding HR work?

    2. Anonymous Coward
      Anonymous Coward

      Re: Various and sundry

      You mean that guy in Dubai I'd never heard of didn't actually want to connect with me?

      I don't care if you have 2000 other people connected, you want to connect with me for no reason, you get blocked and reported as spam.

  5. Borg.King

    Class action likely?

    So LinkedIn say the protection we thought they had implemented wasn't actually working and they divulged account details as a result.

    Hmmm.

  6. Anonymous Coward
    Anonymous Coward

    Unique IP's were used for every fake user or no IP checks...?

    ~ How did the slurpers mask their IP's, using infinite VPN's??? Either way, it seems like an unforgivable oversight by 'Linked-Out'.

    ~ MS bought a dog with fleas, horrible horrible disclosure... Its all too late for dedicated users of the service too.

    ~ Its also an understated but textbook example of why you just can't trust or assume anything about Social-Media or the Cloud...

    1. a_yank_lurker

      Re: Unique IP's were used for every fake user or no IP checks...?

      Slurp bought a mangy dog with fleas or did Slurp infest the cur with fleas?

    2. Anonymous Coward
      Anonymous Coward

      Re: Unique IP's were used for every fake user or no IP checks...?

      ~ How did the slurpers mask their IP's, using infinite VPN's??? Either way, it seems like an unforgivable oversight by 'Linked-Out'.

      A basic bot-net will give you access to a few tens of thousands of unique ip address.

      1. Dan 55 Silver badge

        Re: Unique IP's were used for every fake user or no IP checks...?

        It says in the article... Cloudy VMs.

    3. Anonymous Coward
      Anonymous Coward

      Re: Unique IP's were used for every fake user or no IP checks...?

      Give Microsoft a chance, they are only a few months in.... Your existing LinkedIn login will be changed out for a Microsoft Live/O365 identity, but I don't know how they are going to block the recruitment companies and those photos of people who have changed their lives by posing for a photo holding an A4 hand-written message. Azure Machine Learning maybe?

      1. Anonymous Coward
        Anonymous Coward

        Re: Unique IP's were used for every fake user or no IP checks...?

        Give Microsoft a chance, they are only a few months in

        Yes, it shows. They still had to put some effort in to hack it. Not like the hash they made of Hotmail, for instance.

    4. Anonymous Coward
      Anonymous Coward

      Re: Unique IP's were used for every fake user or no IP checks...?

      ....."It says in the article... Cloudy VMs"

      That says little about the range of IP's / domain names used. If they were all primarily Cloud based they'd have similar ranges of IP's from AWS / Google / MS instances, which would set off Alarm Bells....

      ....."A basic bot-net will give you access to a few tens of thousands of unique IP address"

      Seems the most likely. But Bot farm IP ranges show up in security alerts, which you'd expect Linked-In to have a paid subscription to...

  7. Anonymous Coward
    Anonymous Coward

    The next time....

    A Company / Corporation HR Dept or a Head-Hunter / Recruiter asks why I don't list a profile on there (like a slur), I'm going to point them to this very article...

  8. Anonymous Coward
    Facepalm

    I dont have a Linkedin account

    Yet they still managed to send me a link request last week - from a known local fraudster!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: I dont have a Linkedin account

      I don't have one either but I regularly get 'invites' from people who I have dealt with.

      My assumption is that Linkedin have got permission by some means to search their contacts and then spam anyone who is in the list but not already a victim/member of Linkedin.

      I base this on the number of unsolicited invites I get from people who I have recently exchanged details with who are Linkedin members but deny inviting me, there is a pattern...

      Fuck all so called social networks, we don't need them and we certainly don't want them, most people just haven't realised this yet.

      1. MrDamage Silver badge
        Big Brother

        Re: I dont have a Linkedin account

        > "My assumption is that Linkedin have got permission by some means to search their contacts and then spam anyone who is in the list but not already a victim/member of Linkedin."

        BWAHAHAHAHAHAHAHAHA. You thought LinkedIn asked for permission before slurping your contacts.

        It was the reason why I deleted my account years ago. Accidentally clicked on a link in an email they sent me instead of right-click -> copy link location.

        Next thing I know, I've logged in, and every single one of my email contacts comes up with LinkedIn asking me if I wanted to ask them to connect with me.

        Fuck'em. Fuck'em right in the ear.

        1. The Islander
          Headmaster

          Re: I dont have a Linkedin account

          "BWAHAHAHAHAHAHAHAHA. You thought LinkedIn asked for permission before slurping your contacts"

          "Next thing I know, I've logged in, and every single one of my email contacts comes up with LinkedIn asking me if I wanted to ask them to connect with me."

          Am I being a piss-ant pedant or did you just say they do actually ask for permission ..? Annoying process to be sure, but at least they do ask beforehand rather than just slurp

        2. Anonymous Coward
          Anonymous Coward

          Re: I dont have a Linkedin account

          "Next thing I know, I've logged in, and every single one of my email contacts comes up with LinkedIn asking me if I wanted to ask them to connect with me."

          We'll you've clearly saved you password and you've agreed in the past to let them have access to you contacts.

          I know, as mine asks for my password every time and there is a big banner asking me to enter my email address and permission to use my contacts.

          1. GrapeBunch

            Re: I dont have a Linkedin account

            "We'll you've clearly saved you password and you've agreed in the past to let them have access to you contacts."

            If you say so, but could it be something as simple as them slurping my password because I opened google Contacts in a different tab in the same browser window ... or could they even have paid google gmail for my contacts list? Or was I tricked? Yes, I told LI an email address, but I did not knowingly authorize them to access it nor give them my password.

            I work in a field so obscure and unremunerative (spell checker says that isn't a word) that I don't get any of the spam job offers that others have reported. So maybe the joke's on LI. Having somehow revealed my contacts list to LI, I am very careful NOT to invite people unless I'm sure they already have an LI account. LI tells you that. They could be fooling me, but that's a subject for another day.

      2. katrinab Silver badge

        Re: I dont have a Linkedin account

        It constantly asks you for your email password so that it can read your emails and contact list for that purpose. If it doesn't constantly ask you, that is probably because you already gave them it.

      3. Anonymous Coward
        Anonymous Coward

        Re: I dont have a Linkedin account

        This could be it, I did originally contact this guy for some building work. (he had ripped off a genuine builders "RatemyBuilder" profile).

        He took the deposit, then made excuses not to turn up and do the job for nearly 6 weeks after the quoted start date, at which point I named a few unsavoury characters I knew, and got the money back.

        Remarkably, the cheque didnt bounce (REALLY unsavoury characters).

  9. Mark 85

    One would have thought that MS would have done due diligence on the security of LinkedIn's servers... If they did and approved it, I do have to wonder with all the gold to be mined from Microsoft, that they haven't been hit... yet.

  10. VulcanV5

    Dyslinkia

    Occasionally I have trouble with idiot companies and their CSs so find it necessary to email the CEO. Digging around on the 'Net to track her / him down inevitably involves the absurd self-promoting self-satisfied LinkedIn, where all those with delusions of adequacy speak unto others of similar fragility. What's notable about the aforementioned idiot companies is that their managements have some of the longest CVs on LinkedIn. Where my own company is concerned, our employment policy is liberal and fair minded, and our view that a candidate with a LinkedIn profile is most likely to be deranged, incompetent, mendacious or a complete Twatter, eminently reasonable.

  11. Pascal Monett Silver badge

    "[..] some of the security procedures [..] to stop just this sort of attack."

    Ah, LinkedIn. What do you expect when security was the last bullet-point of discussion in the last meeting about specifications before coding this "social" monstrosity ? And it was punted to the meeting after beta, to be discussed when you had a product sucking the clueless in.

    Security was never your focus, it's the add-on that you have to bolt on to the sides to make it seem worthy. Experience demonstrates that such an attitude fails regularly. And I don't see your new owner making the situation any better.

  12. Anonymous Coward
    Anonymous Coward

    The reason they got hacked is very, very obvious ..

    .. they had to be made Microsoft compatible.

    Making things unsecure is part of the Microsoft integration process. The next stage is destroying the UI so even that last bit of usability is destroyed. I'm quite interested to see how they'll implement a web ribbon.

    By the way, do remember that this is the company that wants you to store all your valuable data in their cloudy thing and process this with online software? Just in case you forgot...

  13. Felonmarmer

    Horse / Stable / Bolt

    Seeing as their security features work by analyzing user behaviour surely they can only work by identifying dodgy accounts after the event, by which time a new dodgy account has been set up.

  14. Anonymous Coward
    Anonymous Coward

    Was a captcha or the recaptcha being circumvented in the process?

    just curious :)

    1. Falmari Silver badge

      Re: Was a captcha or the recaptcha being circumvented in the process?

      Maybe you just missed it Quote:-

      "Despite all these protections, the data thieves managed to get around them all by setting up systems that could start multiple bogus accounts – bypassing the CAPTCHA mechanism designed to stop this."

  15. Joseph Haig

    Pot? Kettle?

    How about going after those who incessantly send unsolicited invites and reminders to people who have no interest in joining their social media site but happen to be in the email address book of someone who accidentally clicked the "spam everyone I know" button?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like