From the article it seems that you can just create a free account and query your own name.
> In order to test whether or not the data belonged to PDL, we created a free account on their website which provides users with 1,000 free people lookups
Google are jointly liable for this service, so if you can't find a contact point, then you can email google with the service IP. They will more than happily point you on to the customer to avoid being taken to court.
They list 2 companies as owners of the data in the article. I guess there would be a good place. I'd love to do that but I'm not on the eu.
But the article says that's possible the actual leak comes from a customer or former customer of these companies and the actual ownership is so far a mistery.
People Data Labs privacy policy:
3. ACCESS TO AND CONTROL OVER INFORMATION
A person may do any of the following at any time by contacting People Data Labs at support@peopledatalabs.com. People Data Labs will reply to a person’s request within five business days.
A. Access any information we have on them, if any.
B. Change, correct, or delete any information we have them, if any.
C. Express any concerns about People Data Labs using their information.
People Data Labs' team will act swiftly upon a person’s email request to change, correct, provide, delete, or explain anything a person query.
People Data Labs understands if a person would like to opt out of People Data Labs' database. Opting out will stop all data sharing and enriching of all PII in People Data Labs servers for that person. Click here, if you would like to opt-out, or choose to have all data about you removed from People Data Labs' database.
For https://www.oxydata.io/:
Review and changes to your information
Contact us at sales@oxydata.io to find out what information we have collected about you, and to request any changes to or deletion of it.
Also it seems like theres a service like this called Delete Me, but it also seems like theyre a manual opt-out shop. Would be cool if you could find a way to not have humans doing it. Bet they're just having people on amazon mechanical turk fill these out or something like that.
https://joindeleteme.com/how-we-work/
Well then thats the trick. A legal research team that develops the form for as many sites as you could find, and then a mechanism to send that form filled with each users data to those sites.
Like, what more do they need than disambiguating identity info and a declaration that I'm opting out? E.g. name and DOB?
My only fear is that you're now sending this all to them, but in 2019, we can safely say your name+DOB+address isn't a secret. Or national identity number if that's a thing in your jurisdiction.
It's a legit service. I use them and they did ensure that my data was removed from the services they specified. Obviously I'm just some person on the internet so my statement has no intrinsic credibility, but I believe they were also validated in a nyt article awhile back.
Actually working on that project right now - www.thekanary.com. Super early stage but have a big list of brokers and opt out links that I'm automating. Would love early feedback.
Look at the personal record that was in the article. It looks like aggregated public information. And look at what the companies referenced in the DB do.
It's possible there's someone selling them so not-quite-public info, too, but it's probably more like phone numbers and less like private messaged on Facebook or Linkedin.
The title reads like data from 1.2B profiles was leaked by Facebook and Linkedin, but this looks like scraping public profiles from them.
Yes, there are dozens of these data enrichment companies. They scrape public sites and use browser extensions, SaaS tools, inbox addons, etc. They mix it together into profiles, and pretty much have the same dataset by now.
Yep! And as someone who has worked with these data sets and worked on the scraping tools on services like LinkedIn, a lot of the data is outdated, incorrect, or mixing together different entities with the same name into one person or splitting the same person into separate entities incorrectly.
I mean, this is literally just a leak of data that People Data Labs is selling to anyone who signs up to their service. The 'leak' is just bypassing their payment requirements, so by definition all the data leaked is available for purchase.
It appears to also contain information possibly acquired from other companies. For example, the author notes that he had attributed to him a phone number he had assigned to him by AT&T that he never used or shared.
Yeah, I'm wondering if this is all scrapped public data or a breach of some kind. Are land line phone numbers published in a directory (like a phone book) in USA?
Back in the day (maybe it is still this way) your landline was default "listed" and you had to pay a monthly fee to be an unlisted number. So AT&T most likely listed his number in some kind of phone book / directory.
Yeah. Email addresses? Phone numbers? All of that is practically public at this point anyway. This article is crying wolf. Someday there is going to be a massive credential compromise.
> Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client.
I remember there was some brewhaha a while back about how Shodan was able to discover services on IPv6 since the address space was so sparse. Apparently they were running enough of their own NTP servers to reliably map out lots of devices on IPv6.
Since I learned about Shodan, I'm convinced that the (subjectively) increase in reported data breaches is just due to an increasing amount of people looking through Shodan results, and doesn't have anything to do with any trends in security.
Security standards at any company have always been low, but now it's easy even for a layman to find leaked data.
I wouldn't be surprised if the starting point for this vulnerability wasn't ES, but Docker. Docker by default modifies iptables and if you hack together a system that uses both software running directly on the host and in containers, it's going to expose the forwarded containers to the Internet - which you might not be expecting, since a bind to localhost would be enough to expose a service. It's always a good idea to have a separate firewall running outside of the your system - this is the one Docker can't fool.
They mentioned this is google cloud, which blocks almost all incoming ports by default. they had to have chose to expose this through the project firewall, and not put in a source filter.
No. It's not dockers' fault you did not read the manual and expose the ports wrong: you can bind the port to specific ips for export and tjat address should be 127.0.0.1
I see where you're coming from, but I disagree. I believe that good software and abstractions should take little training to use - everything unintuitive is a design failure and should be fixed. "Reasonably secure" should be the implicit default, not something you need to explicitly added. E.g., it's better to force authentication and force the administrator to add an account than let everyone in by default. Or it's better to bind to 127.0.0.1 than to 0.0.0.0 by default, like most web servers built into frameworks I saw do.
Unfortunately, instead of good intuition, Docker is built on caveats, be it networking, storage, caching, image sharing, container/image distinction, authentication, deployment or building a cluster. Every subsystem I experimented with "works", but fails in weird ways in some situations. In my opinion, that means that Docker is a good idea, but has terrible UX/functionality/error handling. I kind of think the same way of Git.
Not sure about Google Cloud, but Elasticsearch on AWS doesn't support x-pack security. You can only secure your instance via IP restriction, otherwise you have to sign your requests, which is not always supported on Elasticsearch DSL libraries that are commonly used.
I believe Elasticsearch doesn't allow restricting access by requiring login unless you pay for the enterprise version, which is just straight up stupid.
In retrospect, it would have been interesting to have a bunch of accounts each containing a unique "map trap", at all of the larger services. Then years later, when the aggregator/broker guys get hacked/sold/leaked, you'd have some picture of the genealogy involved.
The problem is that you often can’t find access to the actual “password” used in the breach. Does anyone know where I can see if it was an actual password or just some made up thing?
I was suggesting something different. Specifically open an account on every service as a tracking canary, say with the same email to help them tie them all together. But on each one, vary something slightly like phone. Then years later, when looking at a leaked aggregator entry, all the phones on the record should tell you all the places they bought/stole data from.
> In order to test whether or not the data belonged to PDL, we created a free account on their website which provides users with 1,000 free people lookups per month.
Well that's very generous of them. Now I know what I'm gonna do next.
does anyone know how we can search the data to find info about our (more than likely) entries in this database? or did they simply find it but not release the info?
Out of curiosity how do you guys think they managed to scrape LinkedIn on such a large scale?
I've been wanting to do some social graph experimentation on it (small scale - say 1000 people near me) but concluded I probably couldn't scrape enough via raw scraping without freaking out their anti-scraping. (And API is a non-starter since that basically says everything is verboten).
You probably have to be highly distributed. At least that’s what I did when I tried to scrape a large site some years ago. I had around 100 machines in different countries and gave each of them random pages to scrape.
It looks like the purpose was data enrichment, so maybe it was pieced together over time from multiple sources. My linkedin from PDL only had 1 bit of wrong info. I wasn't able to find anything on my personal email addresses which is good.
Distributed bot and scraper networks. Thousands of IPs geographically dispersed throughout the world. There is only so much you can do with rate limiting.
I go to LinkedIn without being logged in and nearly always get a login gate instead of the profile.
They were ordered to unblock hiQ specifically, they were not ordered to open up content to scrapers generally.
They can still throttle high volume traffic and put up captchas. I think the only specific thing the court ordered was for them to unblock hiQ IP ranges.
Scraping LinkedIn is so common you can usually hire people with years of experience in it. It is not as complicated as you might think. There are at minimum hundreds of companies that sell LinkedIn data they have scraped.
Hey - not related to your comment (apologies) but wanted to get in touch . You left a note on a previous post of mine about wanting to simplify FTP. I'd love to work on this project and wanted to see if you'd be willing to connect so I can understand the problem better. Feel free to email me at kunal@mightydash.com, and thanks in advance!
'Mobile Proxies' like https://oxylabs.io/mobile-proxies (no affiliation) allow you to use large pools of mobile or domestic IPs to scrape. It's expensive, but not prohibitively so. Once you've got a mobile IP you become incredible hard to throttle, since you're behind a mobile NAT gateway.
So far, the answers have contained non-technical answers like "Distributed Scraping." Well, yes, obviously.
A more useful answer is: I did this once, many years ago. Back then it was a matter of hooking up PhantomJS and making sure your user string was set correctly. Since PhantomJS was – I think – essentially the same as what headless chrome is today, the server can't determine that you're running a headless browser.
Now, it's not so easy nowadays to do that. There are mechanisms to detect whether the client is in headless mode. But most websites don't implement advanced detection and countermeasures. And in the ideal case, you can't really detect that someone is doing automated scraping. Imagine a VM that's literally running chrome, and the script is set up to interact with the VM using nothing but mouse movements and keyboard presses. You could even throw in some AI to the mix: record some real mouse movements and keyboard presses over time, then hook up some AI to your script such that it generates movements and keyboard presses that are impossible to distinguish from real human inputs. Such a system would be almost impossible to differentiate vs your real users.
The other piece of the puzzle is user accounts. You often have to have "aged" user accounts. For example, if you tried to scrape LinkedIn using your own account, it wouldn't matter if you were using 500 IPs. They would probably notice.
I wrote a chrome headless framework that types using semi-realistic key presses (timing, mistakes, corrections) and does semi-realistic scrolling / swiping and clicking / tapping.
It's not very hard to get something that would be too hard for almost every website beside Google and Facebook to bother with. If it's a 1 on a 0-9 scale in difficulty, most websites just don't have the resources to detect it
It took me like ~3 hours to write it, but I guarantee it would take months for someone to detect it, and even then, they'd have a lot of false positives and negatives.
I think there's also a lot of bot-detection-as-a-service around here that can be used by sites smaller than Google and Facebook, like WhiteOps or IAS anti-fraud.
Not many yet, general consensus is to first warn and get companies to implement better compliance - only those who really openly shit on GDPR get the fines.
LinkedIn doesn't protection doesn't seem to be that sophisticated at the moment. Someone I know maintains ~weekly up-to-date profiles of a few million users via a headless scraper that uses ~10 different premium accounts and a very low number of different IPs.
So is leaking PII? ToS isn't a legal contract: it's not signed by anyone and it's changed every other week without consent of users. ToS is just a formal excuse why someone's account may be suspended.
As long as you are able to source more than one provider, this can work well enough. If you're dependent on a single data source, e.g., because that source is the only possible source of said data, you'll get nuked from orbit by legal rather than technical means.
I had a business that was generating more money than my full-time job for a while. We helped and greatly simplified matters for several thousand independent proprietors while having a positive effect on the load of the data source, since we were able to batch/coalesce requests, make better use of caches, and take notification responsibilities on ourselves.
Once in a while someone would get worried and grumpy at the data source and there were a couple of cat-and-mouse games, but we easily outwitted their scraping detection each time. When they got tired of losing the technical game, they sent out the lawyers, which was far more effective. We were acquiring facts about dates and times from the place that issued/decided those dates and times, so there wasn't really any reliable alternative data source, and we had to shut down.
The glimmer of hope on the horizon is LinkedIn v. HiQ, which seems poised to potentially finally overturn 4 decades of anti-scraping case law, but not holding my breath too hard there.
LinkedIn Sales Navigator is a paid tool which allows you to search their whole database. Then depending on how much you pay you can get all their personal details (Email address, phone number, even their address sometimes.) https://business.linkedin.com/sales-solutions/sales-navigato...
I've always been a little confused how this works. If I got all that info for free, it's a "data leak", but if I pay to get the same detailed personal information it's...
In either case my personal data is given away without my consent, but there's this implication that it's only an issue when someone doesn't pay for it.
You're right, my take on this is that a company scraped a bunch of publicly available information, that people left open (consciously or not.) That's why only a subset have phone numbers. The profile URLs, emails, most people don't even try to protect those.
Normally the company sells this data, but now they've given it away. It's not good this data got out because the curation has some value to spammers or whoever. But using the word "leak" here undermines the severity of a real leak where passwords and social security numbers are exposed. Data that was never meant by anyone to be open.
Everyone likely has (technically) provided consent for every piece of information here being shared with partners. Buried in fine print that it wasn't really expected they'd read, of course. It's the cost of being online, and that sucks, but it seems only a leak of what had already been given out.
If you get drivers info by hacking a DMV database, it's prison. If you got the same details by paying a few millions for FOIA requests, you're a good citizen and a model tax payer.
Jokes aside, can you really file FOIA requests to get personal driver details from DMV? I thought FOIA would only apply for stuff that is meant to be public, but isn't due to difficulties of hosting, putting it up, etc.
Mind you, I didn't research the topic of what can or cannot be requested with FOIA, so I might be totally wrong.
LinkedIn gives away email id and phone number (even if you had given just for 2FA) to all your contacts. I checked PDL, it has all the information from LinkedIn except for phone number, which I promptly removed once I identified the 2FA issue (now TOTP is available).
I've crawled a popular social network on a large scale, currently doing the same for dating services as a hobby. God, wish I'd still got paid for webscraping.
Here are some tricks which may or may not work today:
- Have an app where user logs in through said website, then scrape their friends using this user's token. That way you get exponential leverage on the number of API calls you can make, with just a handful of users.
- Call their API through ipv6, because they may not yet have a proper, ipv6 subnet-based rate limiter.
- Scrape the mobile website. Even Facebook still has a non-js mobile version. This single WAP/mobile website defeats every anti-scraping measure they may have.
- From a purely practical perspective, start with a baremetal transaction-isolation-less database like Cassandra/ScyllaDB. Don't rely on googling "postgres vs mongodb" or "sql vs nosql", those articles will all end in "YMMV". What you really need is massive IOPS, and a multi-node ring-based index with ScyllaDB will achieve that easily. Or just use MongoDB on one machine if you're not in hurry.
- Don't be too kind on the big websites. They can afford to keep all their data in hot pages, and as a one man you will never exhaust them.
> - Call their API through ipv6, because they may not yet have a proper, ipv6 subnet-based rate limiter.
Nice tip!!
> -- From a purely practical perspective, start with a baremetal transaction-isolation-less database like Cassandra/ScyllaDB. Don't rely on googling "postgres vs mongodb" or "sql vs nosql", those articles will all end in "YMMV". What you really need is massive IOPS, and a multi-node ring-based index with ScyllaDB will achieve that easily. Or just use MongoDB on one machine if you're not in hurry.
Somewhat ironically Elasticsearch would probably work really well for this too (just make sure your elasticsearch isn't open to the world on the internet!).
>Somewhat ironically Elasticsearch would probably work really well for this too (just make sure your elasticsearch isn't open to the world on the internet!).
Sure it will work, but I personally don't like Elasticsearch for anything high-intensity because of its HTTP REST API and the overhead it carries. Take a look at Cassandra's [1] "CQL binary protocol", it simple and always on point.
You forgot the part about exposing your finished database to unprotected elasticsearch http endpoint ;)
In all seriousness does anyone know why you can even host an elasticsearch database as http and without credentials? Seems to be the default. What is the use case for this?
If I've understood you right, you break the TOS on other websites to collect users personal info, and then you have nightmares about people taking that data from you? Doesn't that raise ethical concerns in your eyes?
I usually recommend latency-based dynamic load control for that. Once the website starts to reply 500-1000ms longer than the average one-thread latency, it is time to take a bit of it back. It is also a co-operative strategy between fellow scrapers, even if they don't know about the other ones pushing larger load on the servers.
1000ms is a massive slowdown when revenue-noticeable impacts are far, far smaller. I don't know the legality, but hitting a site hard enough to cause 1000ms slowdowns seems like it's approaching DOS legality issues.
YMMV, and cloud providers would hate you for this, but you can automate the IP rotation with a cloud providers that bills you by the hour. It's easier than ever nowadays to spin an instance in Frankfurt, use it for an hour, and then another in Singapore for the second hour.
I scraped 10 million records from linkedin a few years ago from a single ip by using their search function. I got a list of the top 1000 first names and top 1000 last names and wrote a script to query all combinations and scrape the results.
once worked on a project that tried to do just that, but at the time the LinkedIn api was already limited to seeing the authenticated users connections connections, which was too limited for what we wanted to do, can only imagine it got worse.
It's also the reason recruiters really want to connect to you on LinkedIn because even if you are not interested, your connections might be.
The US courts decided that scraping is legal, even if against EULA:
> In a long-awaited decision in hiQ Labs, Inc. v. LinkedIn Corp., the Ninth Circuit Court of Appeals ruled that automated scraping of publicly accessible data likely does not violate the Computer Fraud and Abuse Act (CFAA). This is an important clarification of the CFAA’s scope, which should provide some relief to the wide variety of researchers, journalists, and companies who have had reason to fear cease and desist letters threatening liability simply for accessing publicly available information in a way that publishers object to. It’s a major win for research and innovation, which will hopefully pave the way for courts and Congress to further curb abuse of the CFAA.
That is a blatant misrepresentation of that decision. That decision was upholding a lower court's preliminary injunction that prevents LinkedIn from blocking hiQ while the main case between the two is litigated. It is not a final decision and it doesn't purport to say that scraping is legal (it even points out other laws besides the CFAA that might be used to prohibit scraping.)
At this point practically everything about me's available either for free or a few dollars. The only interesting thing left is whether a given password has been compromised. The answer to everything else is "yes, it's been leaked". Been that way for most of a decade at this point, guessing it's the same for most other folks with any modern digital or banking presence whatsoever.
I'm sure there are search engines for it too but I noticed that credit karma can tell you which of your passwords have been associated with your email addresses in data breaches.
Credit Karma is free but the CEO appears to be transparent in how they make money (recommending financial products to you based on what they see in your credit profile).
I am a very suspicious and wary internet user, hardly sign up for any services, but been using Credit Karma for my taxes and light financial monitoring for the last 3 years. Tax Filing was totally free and I got the tax refunds I was expecting. No issues with them whatsoever. I have never gotten any email or other spam as a result of using their service. I am a happy customer, though technically speaking I have never actually given them any money directly.
I agree. At first I got a few emails over a long period of time recommending financial products (credit cards, savings accounts, etc) but I unsubscribed and haven't seen any of those since. The only emails I get now are when something changes on my credit profile (new account, closed account, etc).
Maybe in the future it will, but it uses Have I Been Pwned. From the FAQ[0]:
How does Firefox Monitor know I was involved in these breaches?
Firefox Monitor gets its data breach information from a publicly searchable source, Have I Been Pwned. If you don’t want your email address to show up in this database, visit the opt-out page.
> Through our partnership with Troy Hunt’s “Have I Been Pwned,” your email address will be scanned against a database that serves as a library of data breaches. We’ll let you know if your email address and/or personal info was involved in a publicly known past data breach.
But would you call VendingMachinesCo because there is a vending machine outside the local supermarket, operated by said supermarket, that spits out cocaine? Pretty sure that whatever you put in there is the machine owner's responsibility, not the manufacturer. GCP does not put content in their VPSes themselves the way that a bank operates an ATM.
I think it's more like the responsibility of an ISP to poke their noses in what they transfer, since it might be illegal content (similar to whether Google should poke their noses into people's VPSes). I'm not sure if we should want to require them to do that.
Yeah no kidding. Though if you wait until it flips to a new minute and refresh, that helps. Though it takes all of a minute to register a free key, so probably no big deal.
Indeed they do have a profile on me - a bare minimum, scaped from GitHub. That makes sense, since that's about the only social platform I use, aside from HN.
EDIT: My GMail address has the most amount of information gathered, which makes sense. It's gathered Facebook, LinkedIn, Pinterest, GitHub..
It lists my skills as: firefighting and emergency planning/management/services. I suppose, with a stretch of imagination..
Haha, when I was a kid and scared to use my real name for things, for some reason I used my email... which had my real name in it, to open a Github account with a fake name
So the api knows me as the famous architect, Art Vandelay
In your github account you can add a new email address that doesn't even exist or have a valid TLD, like "name@mail.fake". Don't use it as your primary email and it won't require confirmation. You can now set your git user.email to this fake address and any commits you make will be attributed to your account without exposing your actual email address.
You can use yourgithubusername@users.noreply.github.com instead of adding a fake email, and your commits will still show up on your contribution graph and be linked to your username.
It would be really surprised if this were compliant with the GDPR. I live in the US but I tried email accounts of relatives in Europe and they had data in there.
Theoretically, if it were egregious enough, the EU could say to the owners or management of the company that if they went to the EU they would be arrested. That’s enough of a threat that it might convince them.
> The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as "extra-territorial effect."
They can say this all they want, but if you have no presence in the EU, and your jurisdiction does not have any agreement to apply GDPR regulations to you, then this is at most a strongly worded request.
Barring explicit agreements to the contrary (treaties, extradition agreements, etc), by definition a country's laws are only enforceable there.
If PDL has no business in Europe, no plans to expand there, and there's no treaty or other agreement making the provisions enforceable against them, the EU can say whatever it wants but PDL has no legal obligation to do anything about it.
One obvious answer in that case would be to establish who is buying the data from them and treat any PDL data as potentially tainted. If you find a downstream customer who does have a presence, then investigate accordingly. You might not be able to fine PDL directly, but you could certainly make the offending data risky or unprofitable...
Usually you'd either track known errors in the dataset (implying that the companies had either bought it from PDL or copied the leak), or you'd ask the banks (who do have a presence) which accounts were paying them and who owned the accounts. If Bitcoin's involved at all, you assume there's something fishy going on and investigate accordingly.
(Assuming anyone were bothered enough to actually do this, of course.)
Legal jurisdiction is a separate matter than the specific text of laws. The "this applies to non-European companies" things just means that if you fall under the jurisdiction of European courts, you can't absolve yourself of responsibility of complying with this law simply by being a foreign-registered company.
On the other hand, if you never fall under European jurisdiction in the first place, you're free to ignore them, just as you can ignore Thai laws against insulting their king. One very important thing to note is that setting foot in European soil will expose you to their jurisdiction, so you've significantly limited your freedom of movement, but if GDPR compliance is a bigger deal than that then "just never go to Europe" can be a viable strategy.
Oh yes, I'm going to try and see if they have data on me and send a number of GDPR requests if they do. For others from the EU, it's very easy to do using: https://www.mydatadoneright.eu/request
I'm actually a bit surprised at how little data they have on me. They've associated my main email with an old junk email, they've got my first and last name, and know that I'm male, but there's little more.
My personal email seems to be based on Github and Gravatar, while my job search and work emails got linked together and appear to be based on LinkedIn.
It returned a 404 for my personal email account, so that appears to be sufficiently protected.
More surprisingly it had data such as my name, title and work email address which was connected to old work email account (Okta managed - GSuite) that I never associated with external services, and absolutely never used on a social networking site like LinkedIn.
Nothing for most of my accounts, except one which somehow was falsely attributed to someone else. Odd given I do have a LinkedIn profile; Their scraping must be far from perfect.
Wow.. I checked with an email address I use for disposable purposes. The only thing they had on it was a blank LinkedIn profile -- meaning that LinkedIn cancer has trawled some pretty questionable sites, harvesting email addresses as placeholders for their accounts. WTF.
This data is accessible at small scales just by registering for a free api key at People Data Labs and making a GET request, and if you want more robust access you could just pay PDL for it.
I mean it is INTENTIONALLY exposed to the public... the only mistake is they are giving it away instead of charging for it. If you don't like it when they give out all the information for free, it doesn't make it better if they charge money.
Depending on the countries the data is hosted in and the attacker lives in, it's unclear any law has been broken that would land a person in jail.
If PDL had a flaw in their implementation that allowed someone to scrape them (or they didn't and someone did the hard work of creating 1.2 million fake accounts to register for 1,000 free API calls), it might be an uphill battle to prove even "unauthorized access."
I found a vulnerability in linkedIn a few years back that allowed anyone to access a private profile (because client side validation was enough for them I guess..?)
They didn't take my report seriously (still not completely patched) and I feel like that told me all I needed to know about their security practices.
I reported an issue to the LinkedIn competitor https://about.me two years ago where signing in with my Google credentials gives me access to some the account of some random other person with a similar name to me. I think that during registration, I attempted to register about.me/johnradio (except it's not "johnradio"), but he was already using it, and then the bug occurred that gave me this access.
I randomly check every 6 months or so and yep, still not fixed.
For a while, our Comcast billing account accessed some other person’s account. Comcast didn’t take it seriously, and just told us to create a new account and not use the old one. (!!!)
We had full access. I could have signed this person up for the most expensive package, or even canceled their service.
To be fair, internets would have been equally outraged if there wasn't such requirement, because sure as hell somebody would have found an exploit and cancelled a bunch of account, just for funzies
I managed to cancel my dad's after he died. They STILL tried to upsell me! One of my favorite phrases ever uttered: "He's dead, you asshole, he doesn't need more channels!" And that actually did it. Felt sorry for the salesperson, who didn't have much of a choice in the matter...
Surely by making it difficult to cancel they’re really just making it easier for people to get discounts. If I were a Comcast customer I’d be calling up to cancel every few months.
I signed up for a disposable Gmail account using my real name at one point, and accepted the randomly suggested address it offered. Gmail loaded with someone else's obviously in use mailbox
IIRC I logged out again and back in, same thing, my credentials worked. Went back to it a few days later and the password no longer worked
I think it's like EC2 instance IDs. When they first came up with it, they never thought there would be literally billions of unique email addresses/EC2 instances eventually.
My gmail is my first initial followed by my last name. There are other people on this planet with same first initial and last name, some of whom seem to think that must be their email too, because I keep on getting emails where they used it to sign up for things.
My gmail is two initials and last name, so theoretically less susceptible to such errors. Yet I get misaddressed mail all the time—and a surprising amount of it is job applications!
I get bank statements, job offers, party invitations, and lately a bunch of lets say very questionable email verifications from euro 'dating' sites- I've identified the guy in the UK but its too much (and getting embarrassing now) to keep forwarding his stuff to him.
Downside of getting in early on popular email services.
> but its too much (and getting embarrassing now) to keep forwarding his stuff to him
What amazes me is when I get misaddressed email, and I reply to say its misaddressed (and I'm not talking about automated services, I'm talking about obviously manually sent stuff), and my reply just gets ignored and the misaddressed email just keeps on coming.
Somebody keeps phoning me and leaving messages. They don't answer their own phone (or messages clearly). I even have a sarky voicemail now, you'd think they'd notice. Nope!
Lady, whoever you think is going to be at that funeral isn't getting that message.
I've no idea if they'll get disconnected now as I've blocked their number. Hope so maybe they'll notice then.
Trust me, I used my full first name, it's not enough to stop these people. One is a UK doctor, one is a US teacher, and I think there are one or two more. Been sent a few baby pictures from their relatives too.
I had a lady send me a zip file that contained a VPN client, certificate and a word document with usernames and passwords to the VPN and a number of industrial control systems at the factory she was a manager of.
Every few months I get scans of X-rays from random clients' teeth from some dentist in South America. I've tried so many times to respond and/or unsubscribe but never hear anything back.
I faced the same problem (though my name is not at all very common). Banks, mobile companies never did anything even after I repeatedly told them on phone and Twitter (and have kept a record of it).
One day after I had received a person's bank, mobile statement and many other bills for few months I decided to call him (his number was easily visible in many emails) and inform him of his mistake. He turned out to be lawyer and he said he will "decide" what to do about it. And the next thing I know is he sent a carefully drafted email (as a legal notice) that I should hand over my email address to him without further delay and all that.
I didn't do that. I talked to a lawyer friend and he just told me to reply with a "G F Y" card. I didn't do that either. But that pushed me to finally move my emails to my personal domain as it was/is a Gmail account and if someone complained Google would have just terminated my account and I don't know anyone who works at Google.
That lawyer sounds like a douchebag.
I super agree with your point too: I'm also slowly moving all my emails to my personal domain and it feels liberating.
I can only imagine about.me mass-creating profiles for names found on other web pages, and opening a way for someone to "claim" those profile with a matching Google account sign-in.
About.me's business model was quite unsettling to me and they have made little to no effort to protect the user data from scrapers.
I deleted my linkedin a few years back when they had some bug where I would randomly get page views as some other person, with all their connections and account details and whatnot. It would only last a few minutes then switch me back to my account, but they aggressively ignored my attempts to reach out to them about this bug so I just gave up.
I had a similar experience. In 2014 I reported an issue where you could take over someone's account by adding an email you control to it and having them complete the flow by sending them a link (which, unless they looked very carefully, looked exactly like the regular log-in flow at the time - especially if they used a public email service and you registered a similar-looking account).
I tried it on a friend and it worked, but LinkedIn's response was basically "meh".
My life has only gotten better since I deleted LinkedIn a few years ago. I know I'm in a privileged position to be able to do that, but I strongly recommend everyone here consider whether what they gain from their account is worth the crap and spam they have to put up with.
LI is terrible if you actually try to use it, but it's harmless enough if you just use it as a profile hosting service, where people are likely to look. I just auto-archive their emails and only visit the site a couple of times per year.
While not good, what's the connection to this story?
The article says some LinkedIn data was scraped, but I don't see anywhere that it specifically says a LinkedIn security flaw was used in the scraping. Although it is vague about what data was scraped and how, so it doesn't preclude that either.
In other words, are you saying a LinkedIn vulnerability was exploited here, or suggesting that it probably was, or are you just mentioning LinkedIn because it's tangentially related?
Facebook/LinkedIn are not implicated in the breach at all; it was some random third-party data enrichment service. The Facebook/LinkedIn in the title refers to the fact that people's FB/LI accounts were one of the fields in the database. So were their Github, and basically any other public-facing account that these scrapers can gather.
Linkedin the last social media membership I have. I’ve been mulling over whether to delete my account because I’m not sure how it will look to prospective employers.
I don't know about other people, but I have zero personal info with LinkedIn and Facebook.
They only info they have about me is info I don't mind being public. If I want something to be private I don't tell it to them. It's as simple as that.
Google on the other hand, knows lots of private things.
Facebook has a lot of personal information about you even if you have never had a Facebook account. For example: your GPS location data, approximate age, gender, ethnicity....
Welcome to the future komrade. Sadly, it's not a matter of just "not giving them" your location data. Your devices supply it.
And your friends too. I dutifully kept a new number out of FB until a friend messaged me with, is this your number right? Xxx-xxx-xxx. They can also tag you and auto tag you through face recognition.
Through shadow profiles, third-party submissions, cross-site cookie tracking, and integration of offline data records, this almost certainly is absolutely false.
Unless you've directly pursued all legal (or otherwise) mechanisms to ascertain this directly, the best you can say is that you're unaware of any information that's been acquired, and that you didn't knowingly or intentionally contribute any yourself.
The article here describes precisely this practice, in its fourth paragraph and following, in the section titled "Data Enrichment":
For a very low price, data enrichment companies allow you to take a single piece of information on a person (such as a name or email address), and expand (or enrich) that user profile to include hundreds of additional new data points of information. As seen with the Exactis data breach, collected information on a single person can include information such as household sizes, finances and income, political and religious preferences, and even a person’s preferred social activities.
This is why I lie about my birthdate by a couple of days on anything where it's not something like a medical record or where I am required to tell the truth for whatever reason. I also never provide my social security number unless it is required by law.
One of my coworkers generates a fake middle name for every service they sign up with. According to him, this serves as a unique identifier allowing them to determine when a service is selling their data to a third party (or data is being leaked).
Fastmail has subdomain addressing, so if your email is jondoe@example.com, you can use hn@jondoe.example.com to sign up for HN.
That way you'll know for sure who leaks your data, and nobody's going to strip it away like some services would strip away plus addressing (as in, johndoe+hn@example.com).
I have excellent results with a subdomain. Even though PDL probably has a lot of data on me, they have (not yet?) been able to glue it to my primary mail address. That one only has my name, gender, github, country and name of my employer. They can't seem to map the remainder to anything else.
I think cold calling could be an even bigger nuisance. My DNS provider published my phone number by mistake on a whois when I registered a domain, I spotted it immediately and it was corrected within hours. Over a year later I still receive cold calls from India to sell me web services at least once or twice a week.
Imagine if you can match everyone’s position with a mobile phone, a dream for tele marketers, tailors, scammers, etc...
Yes and no. You need a phone number, but you still need to carry out a variation of an attack that replaces the SIM associated with that phone number. Sometimes this is carrier-specific. Sometimes it's trivial, sometimes it requires a menial amount of work, and in extreme cases you might have to access an actual network. Most of the time there is nothing stopping the attack if they have your personal information.
It's a tragedy that all of this data was available to anyone in a public database instead of.... checks notes... available to anyone who was willing to sign up for a free account that allowed them 1,000 queries.
It seems like PDL's core business model is irresponsible regarding their stewardship of the data they've harvested.
Would it be better if this was a paid service? If the issue access to the data, then maybe we should ask if this data should be collected in the first place.
> If the issue access to the data, then maybe we should ask if this data should be collected in the first place.
Outlawing the collection of data would be hard and is unlikely to work, but the fact that companies like AT&T are allowed to sell your data, as they did with OP's (where else would that unused phone number come from), is an angle new legislation can use.
The EU now already has a piece of legislation aimed at stifling these practices. The US and other economies just need to follow suit.
It seems like that is starting to happen with California's new data privacy law. I'm starting to get a lot of privacy policy update emails like I did when GDPR took effect.
I'm more thinking that not all data is equal. We really treat it like it is, at least from the public perspective (it clearly isn't from the perspective of those gathering data, but there's a clear disparity in how these groups view things). Some data is actually necessary to give up to have a well functioning internet (what browser you're using) and some data is not (canvas fingerprinting). There's a tough question here because the people making the decision of what data to be used is not us. It is the websites we visit. I would argue that there is no consent being given here and all is assumed to be "common consent" (which I'm using as a lack for better terms. Things like that if you walk out in public people can see you. But conversely, someone can't run up to you and measure your height with a tape measure). There has to be some balance here. What that is, I don't know. But really the only people that can figure that out are us computer nerds who at least kinda understand these things. We have to be having these discussions, or else it becomes "fuck silicon valley" (a conversation that is becoming national). So if we don't think about these things, then we clearly live in a bubble and bubbles burst. If we do think about these things, maybe we don't live in a bubble.
I was recently told how private detectives from a national agency would actually go door-to-door (over a minimal area) under the pretext of AT&T store / sales employees. They’d try to convince their target (and some incidental neighbors as cover) to switch their bundled services to AT&T.
The private agents were armed with the latest available discounts (which you could find for yourself if you tried). But their skills made them particularly more successful than a typical front-line sales employee.
The catch? It wasn’t a scam, and they really were trying to get their targets to switch. It seems that AT&T was more willing to sell consumer data than the general public is aware of. Converting their targets to AT&T granted their agency access to additional data which they then to passed onto their clients. And the target gets a discount, too. Win-Win-Win? :)
That is precisely my point. Differential privacy would NOT make any difference, and I was pointing the many folks who are working on it to the much simpler issues that are in fact being encountered in the field. This past IEEE S&P had quite a few theoretical privacy talks.
439 comments
[ 3.3 ms ] story [ 302 ms ] threadAnd send it where? It's unclear who owns this server
> In order to test whether or not the data belonged to PDL, we created a free account on their website which provides users with 1,000 free people lookups
Could the server owner (Google) have to fulfill the request? Probably not, but interesting to think about.
But the article says that's possible the actual leak comes from a customer or former customer of these companies and the actual ownership is so far a mistery.
https://www.peopledatalabs.com/opt-out-form
People Data Labs privacy policy: 3. ACCESS TO AND CONTROL OVER INFORMATION A person may do any of the following at any time by contacting People Data Labs at support@peopledatalabs.com. People Data Labs will reply to a person’s request within five business days.
A. Access any information we have on them, if any.
B. Change, correct, or delete any information we have them, if any.
C. Express any concerns about People Data Labs using their information.
People Data Labs' team will act swiftly upon a person’s email request to change, correct, provide, delete, or explain anything a person query.
People Data Labs understands if a person would like to opt out of People Data Labs' database. Opting out will stop all data sharing and enriching of all PII in People Data Labs servers for that person. Click here, if you would like to opt-out, or choose to have all data about you removed from People Data Labs' database.
For https://www.oxydata.io/: Review and changes to your information Contact us at sales@oxydata.io to find out what information we have collected about you, and to request any changes to or deletion of it.
An online opt-out system is too easy for them. I want each one to get a phone-book sized list of opt-outs every month.
And the same for data requests. Someone that curates the data collectors, and sends them requests every month.
Do you know which country’s “do not call” list I want to be on? All of them! Get my number on the AU list, the UK list, the DE list...
Let’s crash the system.
Also it seems like theres a service like this called Delete Me, but it also seems like theyre a manual opt-out shop. Would be cool if you could find a way to not have humans doing it. Bet they're just having people on amazon mechanical turk fill these out or something like that. https://joindeleteme.com/how-we-work/
It should be like a doctor’s prescription in a lot of places: as long as it’s on paper and has the right elements, it’s valid.
My only fear is that you're now sending this all to them, but in 2019, we can safely say your name+DOB+address isn't a secret. Or national identity number if that's a thing in your jurisdiction.
It's the metadata around it we want wiped out.
This exists but it's not cheap: https://www.abine.com/deleteme/
Blargh, let the data broker figure out if I’m in their DB or not.
Trying to determine that myself seems risky. Better to send the request to every broker in existence.
It's possible there's someone selling them so not-quite-public info, too, but it's probably more like phone numbers and less like private messaged on Facebook or Linkedin.
The title reads like data from 1.2B profiles was leaked by Facebook and Linkedin, but this looks like scraping public profiles from them.
Clearbit is one of them and even a YC company.
Interesting.
Would suggest starting at arxiv. This is not a hidden field for the active and/or keen researcher.
Security standards at any company have always been low, but now it's easy even for a layman to find leaked data.
It is downright ridiculous that this was ever approved as a default behavior.
Unfortunately, instead of good intuition, Docker is built on caveats, be it networking, storage, caching, image sharing, container/image distinction, authentication, deployment or building a cluster. Every subsystem I experimented with "works", but fails in weird ways in some situations. In my opinion, that means that Docker is a good idea, but has terrible UX/functionality/error handling. I kind of think the same way of Git.
But I still wonder why that isn't part of the open source version, and why it isn't turned on by default....
But as I recall looking for Breach Compilation may help finding the requisite gist on GitHub.
Well that's very generous of them. Now I know what I'm gonna do next.
I've been wanting to do some social graph experimentation on it (small scale - say 1000 people near me) but concluded I probably couldn't scrape enough via raw scraping without freaking out their anti-scraping. (And API is a non-starter since that basically says everything is verboten).
Needing to be logged in as the same user defeats the purpose of proxying to hide your physical origin.
Registering thousands of different users to use in a distributed way is hard now that they require a text message verification for new accounts.
https://www.eff.org/deeplinks/2019/09/victory-ruling-hiq-v-l...
They were ordered to unblock hiQ specifically, they were not ordered to open up content to scrapers generally.
They can still throttle high volume traffic and put up captchas. I think the only specific thing the court ordered was for them to unblock hiQ IP ranges.
A more useful answer is: I did this once, many years ago. Back then it was a matter of hooking up PhantomJS and making sure your user string was set correctly. Since PhantomJS was – I think – essentially the same as what headless chrome is today, the server can't determine that you're running a headless browser.
Now, it's not so easy nowadays to do that. There are mechanisms to detect whether the client is in headless mode. But most websites don't implement advanced detection and countermeasures. And in the ideal case, you can't really detect that someone is doing automated scraping. Imagine a VM that's literally running chrome, and the script is set up to interact with the VM using nothing but mouse movements and keyboard presses. You could even throw in some AI to the mix: record some real mouse movements and keyboard presses over time, then hook up some AI to your script such that it generates movements and keyboard presses that are impossible to distinguish from real human inputs. Such a system would be almost impossible to differentiate vs your real users.
The other piece of the puzzle is user accounts. You often have to have "aged" user accounts. For example, if you tried to scrape LinkedIn using your own account, it wouldn't matter if you were using 500 IPs. They would probably notice.
It's hard to counter a determined scraper.
It's not very hard to get something that would be too hard for almost every website beside Google and Facebook to bother with. If it's a 1 on a 0-9 scale in difficulty, most websites just don't have the resources to detect it
It took me like ~3 hours to write it, but I guarantee it would take months for someone to detect it, and even then, they'd have a lot of false positives and negatives.
How many fines has GDPR resulted in?
Headless chrome cat and mouse game is a lot of fun. We need more players.
I had a business that was generating more money than my full-time job for a while. We helped and greatly simplified matters for several thousand independent proprietors while having a positive effect on the load of the data source, since we were able to batch/coalesce requests, make better use of caches, and take notification responsibilities on ourselves.
Once in a while someone would get worried and grumpy at the data source and there were a couple of cat-and-mouse games, but we easily outwitted their scraping detection each time. When they got tired of losing the technical game, they sent out the lawyers, which was far more effective. We were acquiring facts about dates and times from the place that issued/decided those dates and times, so there wasn't really any reliable alternative data source, and we had to shut down.
The glimmer of hope on the horizon is LinkedIn v. HiQ, which seems poised to potentially finally overturn 4 decades of anti-scraping case law, but not holding my breath too hard there.
In either case my personal data is given away without my consent, but there's this implication that it's only an issue when someone doesn't pay for it.
You gave that consent when you put your info in Linkedin in the first place, according to their ToS.
Normally the company sells this data, but now they've given it away. It's not good this data got out because the curation has some value to spammers or whoever. But using the word "leak" here undermines the severity of a real leak where passwords and social security numbers are exposed. Data that was never meant by anyone to be open.
Everyone likely has (technically) provided consent for every piece of information here being shared with partners. Buried in fine print that it wasn't really expected they'd read, of course. It's the cost of being online, and that sucks, but it seems only a leak of what had already been given out.
[0] https://www.abcactionnews.com/news/local-news/i-team-investi...
Mind you, I didn't research the topic of what can or cannot be requested with FOIA, so I might be totally wrong.
Here are some tricks which may or may not work today:
- Have an app where user logs in through said website, then scrape their friends using this user's token. That way you get exponential leverage on the number of API calls you can make, with just a handful of users.
- Call their API through ipv6, because they may not yet have a proper, ipv6 subnet-based rate limiter.
- Scrape the mobile website. Even Facebook still has a non-js mobile version. This single WAP/mobile website defeats every anti-scraping measure they may have.
- From a purely practical perspective, start with a baremetal transaction-isolation-less database like Cassandra/ScyllaDB. Don't rely on googling "postgres vs mongodb" or "sql vs nosql", those articles will all end in "YMMV". What you really need is massive IOPS, and a multi-node ring-based index with ScyllaDB will achieve that easily. Or just use MongoDB on one machine if you're not in hurry.
- Don't be too kind on the big websites. They can afford to keep all their data in hot pages, and as a one man you will never exhaust them.
Nice tip!!
> -- From a purely practical perspective, start with a baremetal transaction-isolation-less database like Cassandra/ScyllaDB. Don't rely on googling "postgres vs mongodb" or "sql vs nosql", those articles will all end in "YMMV". What you really need is massive IOPS, and a multi-node ring-based index with ScyllaDB will achieve that easily. Or just use MongoDB on one machine if you're not in hurry.
Somewhat ironically Elasticsearch would probably work really well for this too (just make sure your elasticsearch isn't open to the world on the internet!).
Sure it will work, but I personally don't like Elasticsearch for anything high-intensity because of its HTTP REST API and the overhead it carries. Take a look at Cassandra's [1] "CQL binary protocol", it simple and always on point.
[1] https://github.com/apache/cassandra/blob/trunk/doc/native_pr...
In all seriousness does anyone know why you can even host an elasticsearch database as http and without credentials? Seems to be the default. What is the use case for this?
For a while I've had reoccurring nightmares that my DB had been stolen and published together with an article on how stupid and incompetent I am.
I'll cut straight to the chase and post it on hn. This intermediate step of waiting for someone to discover it takes too long
How would someone do that using node.js? Asking for a friend.
That's some extremely shady thing to do.
I usually recommend latency-based dynamic load control for that. Once the website starts to reply 500-1000ms longer than the average one-thread latency, it is time to take a bit of it back. It is also a co-operative strategy between fellow scrapers, even if they don't know about the other ones pushing larger load on the servers.
Clever. VMs with IPV6 are cheap as a bonus :)
Same for non-js mobile. Thanks for the tips
YMMV, and cloud providers would hate you for this, but you can automate the IP rotation with a cloud providers that bills you by the hour. It's easier than ever nowadays to spin an instance in Frankfurt, use it for an hour, and then another in Singapore for the second hour.
Pretending to be Googlebot also helps.
This may or may not still work.
> In a long-awaited decision in hiQ Labs, Inc. v. LinkedIn Corp., the Ninth Circuit Court of Appeals ruled that automated scraping of publicly accessible data likely does not violate the Computer Fraud and Abuse Act (CFAA). This is an important clarification of the CFAA’s scope, which should provide some relief to the wide variety of researchers, journalists, and companies who have had reason to fear cease and desist letters threatening liability simply for accessing publicly available information in a way that publishers object to. It’s a major win for research and innovation, which will hopefully pave the way for courts and Congress to further curb abuse of the CFAA.
https://www.eff.org/deeplinks/2019/09/victory-ruling-hiq-v-l...
https://monitor.firefox.com/
Credit Karma is free but the CEO appears to be transparent in how they make money (recommending financial products to you based on what they see in your credit profile).
How does Firefox Monitor know I was involved in these breaches?
Firefox Monitor gets its data breach information from a publicly searchable source, Have I Been Pwned. If you don’t want your email address to show up in this database, visit the opt-out page.
[0] https://support.mozilla.org/en-US/kb/firefox-monitor-faq#w_h...
> Through our partnership with Troy Hunt’s “Have I Been Pwned,” your email address will be scanned against a database that serves as a library of data breaches. We’ll let you know if your email address and/or personal info was involved in a publicly known past data breach.
https://blog.mozilla.org/blog/2018/09/25/introducing-firefox...
“Hello, Bank of America? There’s an ATM machine of yours that’s spitting out cocaine.
Yes, I understand that it’s probably not your cocaine and that’s not your business, but don’t you think you should maybe shut it down?”
I think it's more like the responsibility of an ISP to poke their noses in what they transfer, since it might be illegal content (similar to whether Google should poke their noses into people's VPSes). I'm not sure if we should want to require them to do that.
You can try it for yourself by changing the email. All of the information is public, so I don't mind. They are basically doing data integration.
Strangely it only says I work in real estate (no I don't) when I looked up the email address I use for LinkedIn...
e75ac28b25480e60071b24d819d4692a0b315c037046b9ff6ec9dfb1e99a895c
Indeed they do have a profile on me - a bare minimum, scaped from GitHub. That makes sense, since that's about the only social platform I use, aside from HN.
EDIT: My GMail address has the most amount of information gathered, which makes sense. It's gathered Facebook, LinkedIn, Pinterest, GitHub..
It lists my skills as: firefighting and emergency planning/management/services. I suppose, with a stretch of imagination..
So the api knows me as the famous architect, Art Vandelay
They can say this all they want, but if you have no presence in the EU, and your jurisdiction does not have any agreement to apply GDPR regulations to you, then this is at most a strongly worded request.
Barring explicit agreements to the contrary (treaties, extradition agreements, etc), by definition a country's laws are only enforceable there.
If PDL has no business in Europe, no plans to expand there, and there's no treaty or other agreement making the provisions enforceable against them, the EU can say whatever it wants but PDL has no legal obligation to do anything about it.
(Assuming anyone were bothered enough to actually do this, of course.)
On the other hand, if you never fall under European jurisdiction in the first place, you're free to ignore them, just as you can ignore Thai laws against insulting their king. One very important thing to note is that setting foot in European soil will expose you to their jurisdiction, so you've significantly limited your freedom of movement, but if GDPR compliance is a bigger deal than that then "just never go to Europe" can be a viable strategy.
Good luck to the EU on enforcing their law against an American company, though.
[1] https://angel.co/company/peopledatalabs/people
More surprisingly it had data such as my name, title and work email address which was connected to old work email account (Okta managed - GSuite) that I never associated with external services, and absolutely never used on a social networking site like LinkedIn.
I am not sure why this stuff being online in bulk is so much worse than being online behind a paywall that someone should actually go to jail for it.
If PDL had a flaw in their implementation that allowed someone to scrape them (or they didn't and someone did the hard work of creating 1.2 million fake accounts to register for 1,000 free API calls), it might be an uphill battle to prove even "unauthorized access."
They didn't take my report seriously (still not completely patched) and I feel like that told me all I needed to know about their security practices.
I randomly check every 6 months or so and yep, still not fixed.
We had full access. I could have signed this person up for the most expensive package, or even canceled their service.
Maybe that's how we drive their customer count and revenue down and put them out of business.
The first thing I said at the counter was "I know it's really hard to cancel Comcast, and I'm not going to accept anything but a cancel."
The girl at the counter smiled and said "We know ..." and immediately cancelled my account.
IIRC I logged out again and back in, same thing, my credentials worked. Went back to it a few days later and the password no longer worked
How have they not resolved this?
Downside of getting in early on popular email services.
What amazes me is when I get misaddressed email, and I reply to say its misaddressed (and I'm not talking about automated services, I'm talking about obviously manually sent stuff), and my reply just gets ignored and the misaddressed email just keeps on coming.
Lady, whoever you think is going to be at that funeral isn't getting that message.
I've no idea if they'll get disconnected now as I've blocked their number. Hope so maybe they'll notice then.
She sent it religiously, every 90 days.
How the hell could she think that your email address was hers? I mean, wouldn't she notice that she never got the messages?
I can imagine someone mistyping an address, and then reusing the "to" link.
One day after I had received a person's bank, mobile statement and many other bills for few months I decided to call him (his number was easily visible in many emails) and inform him of his mistake. He turned out to be lawyer and he said he will "decide" what to do about it. And the next thing I know is he sent a carefully drafted email (as a legal notice) that I should hand over my email address to him without further delay and all that.
I didn't do that. I talked to a lawyer friend and he just told me to reply with a "G F Y" card. I didn't do that either. But that pushed me to finally move my emails to my personal domain as it was/is a Gmail account and if someone complained Google would have just terminated my account and I don't know anyone who works at Google.
About.me's business model was quite unsettling to me and they have made little to no effort to protect the user data from scrapers.
I tried it on a friend and it worked, but LinkedIn's response was basically "meh".
My life has only gotten better since I deleted LinkedIn a few years ago. I know I'm in a privileged position to be able to do that, but I strongly recommend everyone here consider whether what they gain from their account is worth the crap and spam they have to put up with.
The article says some LinkedIn data was scraped, but I don't see anywhere that it specifically says a LinkedIn security flaw was used in the scraping. Although it is vague about what data was scraped and how, so it doesn't preclude that either.
In other words, are you saying a LinkedIn vulnerability was exploited here, or suggesting that it probably was, or are you just mentioning LinkedIn because it's tangentially related?
They only info they have about me is info I don't mind being public. If I want something to be private I don't tell it to them. It's as simple as that.
Google on the other hand, knows lots of private things.
Welcome to the future komrade. Sadly, it's not a matter of just "not giving them" your location data. Your devices supply it.
Unless you've directly pursued all legal (or otherwise) mechanisms to ascertain this directly, the best you can say is that you're unaware of any information that's been acquired, and that you didn't knowingly or intentionally contribute any yourself.
The article here describes precisely this practice, in its fourth paragraph and following, in the section titled "Data Enrichment":
For a very low price, data enrichment companies allow you to take a single piece of information on a person (such as a name or email address), and expand (or enrich) that user profile to include hundreds of additional new data points of information. As seen with the Exactis data breach, collected information on a single person can include information such as household sizes, finances and income, political and religious preferences, and even a person’s preferred social activities.
Please let's put this canard to rest.
That way you'll know for sure who leaks your data, and nobody's going to strip it away like some services would strip away plus addressing (as in, johndoe+hn@example.com).
Sounds like a nightmare in the making for those cell phone users and their carriers when those begin to get SIM jacked.
Imagine if you can match everyone’s position with a mobile phone, a dream for tele marketers, tailors, scammers, etc...
It seems like PDL's core business model is irresponsible regarding their stewardship of the data they've harvested.
Outlawing the collection of data would be hard and is unlikely to work, but the fact that companies like AT&T are allowed to sell your data, as they did with OP's (where else would that unused phone number come from), is an angle new legislation can use.
The EU now already has a piece of legislation aimed at stifling these practices. The US and other economies just need to follow suit.
The private agents were armed with the latest available discounts (which you could find for yourself if you tried). But their skills made them particularly more successful than a typical front-line sales employee.
The catch? It wasn’t a scam, and they really were trying to get their targets to switch. It seems that AT&T was more willing to sell consumer data than the general public is aware of. Converting their targets to AT&T granted their agency access to additional data which they then to passed onto their clients. And the target gets a discount, too. Win-Win-Win? :)
Disclaimer: I'm one of the creators of yourdigitalrights.org.