Has LinkedIn lost control of its user email database?

53 points by ColinWright ↗ HN
The email address that I created exclusively for my (much reviled) LinkedIn account has just received a virus. Does this mean their database of user emails has been leaked? Compromised? Sold?

Or are their systems just sufficiently poor that the email has leaked through other means?

36 comments

[ 3.3 ms ] story [ 86.2 ms ] thread
Could be. Or it could be a server on either end. Or a connection in between. Email is inherently insecure. So, even though you have an SSL connection to your server when you send your email and they have an SSL connection to their server when they receive it, your two servers make a plaintext connection to actually send the email from one to the other.
Or a tool that just generates random mailaddresses ending with a popular e-mailprovider domain.
The email to which I'm receiving viruses and spam is not of that form.

Edit: To those who are downvoting - the comment to which I'm replying says:

    > Or a tool that just generates random
    > mail addresses ending with a popular
    > e-mail provider domain.
Firstly, the address does not end with the domain of a popular e-mail provider, hence the email address to which I'm receiving these unwanted emails is not of that form. Thus my reply is true, and informative.

It's also neither a random user at the domain, nor a dictionary element, nor a simple variant on a dictionary element, nor short, nor public (until now), nor falls into any of the formats I see and deduce from the dictionary attacks on the servers I run. And it is long, and has internal structure. Thus is is, again, not of the form being described in my comment.

So thank you for the down-votes, but I feel that my comment is true, relevant, and justified.

Have you ever replied to a message sent to you from someone via LinkedIn? If so, it's easy to end up sharing your e-mail address with that someone, and good chance that someone has leaked the address on somewhere - whether by copying into a contact manager in their e-mail and being compromised, or letting some site or other log in to their Linked In account.

  >>> Or a tool that just generates random
  >>> mail addresses ending with a popular
  >>> e-mail provider domain.

  >> The email to which I'm receiving viruses
  >> and spam is not of that form.

  > Have you ever replied to a message sent to
  > you from someone via LinkedIn? If so, it's
  > easy to end up sharing your e-mail address
  > with that someone ...
While what you say is true, it's a non-sequitur. It's possible that I have replied to someone, and it's possible that they leaked it, but that has nothing to do with classic dictionary attacks, and the fact that such is unlikely to have succeeded with the address that's been leaked.

Perhaps you intended to reply to a different comment.

Edit: To those who are down-voting this - thank you for the reality check. I don't understand why you think my comment is of negative value, but it reminds me that not everyone thinks the same way.

I can't understand the thought process behind the downvoting either. I'm assuming that some people aren't reading carefully, but just downvoting any negative tone (like these mild denials) on general principle.
Downvotes on HN have been approaching random lately. It doesn't mean anything.
I said nothing about dictionary attacks. It's not a non-sequitur at all, the point was to offer another, alternative suggestion to how it might have happened.

And while I didn't downvote you, if I'd seen a reply like this to someone else, I might very well have done so rather than bother to reply, seeing as you've quoted three paragraphs just to dismiss a valid suggestion because you for some reason don't think it fits in this location in the thread.

  > I said nothing about dictionary attacks.
Indeed, and given that this particular exchange was talking about dictionary attacks, that is why I thought your comment was a non-sequitur. It didn't seem to follow naturally from the comments above, and seemed out of place, which is why I wondered if you really had intended to reply there.

  > It's not a non-sequitur at all, the point was
  > to offer another, alternative suggestion to how
  > it might have happened.
That was being done in other comments elsewhere. Again, that's why I thought your comment seemed misplaced in this particular branch, albeit absolutely correct.

  > And while I didn't downvote you, ...
I know that - you can't downvote a reply to one of your comments.

  > ... if I'd seen a reply like this to someone
  > else, I might very well have done so rather
  > than bother to reply, seeing as you've quoted
  > three paragraphs just to dismiss a valid
  > suggestion because you for some reason don't
  > think it fits in this location in the thread.
I didn't quote those comments to dismiss your contribution. Indeed, I said "... what you say is true ...". My quoting was to try to point out why I was wondering about the placement of your comment.

So to re-iterate, I didn't dismiss your comment, I just thought it would be better placed where others were already making the same or similar points. I'm sorry I didn't make myself clearer, and apologise.

Thank you for taking the time to explain.

Have you ever applied to a job and wanted the email to be different than the one who have listed?
Ya know, in the past 2 weeks I got "cold-call" emailed from recruiters directly to my personal email; not through LinkedIn's InMail feature. One from life360.com and another from jut.io. That hasn't happened to me in over 6 years and the recruiters seem to know what my LinkedIn profile info says. But, it's a gmail and I know that if you get my gmail from anywhere and put it into "https://plus.google.com/u/0/up/search", you can find my G+ which links to my LinkedIn.

I've been wondering how they got my email...

There are several companies that work on crawling public pages and matching profiles to identities to provide recruiters work experience, phones, and emails like entelo and gild.
Your connections can see your email address: http://www.ianharris.com/linkedin-email/
WOW!!! Didn't know that. It could explain why connecting with someone you know is so important. When I think about it: Here is a situation that has a happened a couple of times in the past couple of years: Someone request to connect with me, we have a lot of the same connections and they really look like an all-star but there is no picture. I connected on the feeling "Why Not, a lot of my connections are connected to this person". I then get emails as if I subscribed to a much smaller service similar to a Monsters.com or Dice.com for technology related positions. I also get recruiters sending me emails for directly, and in one instance a recruiter called the main line to my employer and asked to speak with me and got transferred over.

I've always wondered how these things were taking place but never took the time to investigate because of how infrequent the occurrences were. It usually takes a while to unsubscribe from these services via email, so I just mark as SPAM. I just looked and they're still sending stuff, at least some are. I just removed all people I didn't know from shaking their hand from my connections; which includes recruiters that only request invitation to connect to talk about a job opportunity.

I wonder if LinkedIn knows about this sort of Growth Hacking type of SPAM or just doesn't care?

In a way it leaves the impression that they know it. They put the export option there.
And I finally found a good reason to close my account. Thank you.
Some spammers send spam to made up email addresses, hoping someone will receive it.
I thought LinkedIn had a contact sync app that people can run to pull all of their LinkedIn contacts into their own address book. If so, could it be that one of your connections ran that, and their machine is compromised?
It leaked a year or two ago. I had to change my listed address and SMTP REJECT the old one due to the amount of spam it received. Glad I had listed a linkedin-specific address that I could burn.
Speaking of e-mail leaks, has Tumblr?

I started receiving spam (the dumbest, v1agra type) to tumblr@mydomain.tld which I think I have only used for tumblr and years ago since I let my account be purged at some ToS change a while back. Although I might have also used it for a service merely associated with tumblr.

I have also started receiving spam at my tumblr-only address.
Yes. I have an address which I'm sure hasn't been used for anything except registering on Tumblr, and it started receiving spam about two months ago.
I would not put it past spammers to be trying this angle when generating addresses. Low-hanging fruit and all.
There's a good chance that tumblr@example.org is going to be a real account.

If you started getting spam to tumblr.w8ke2iowieiu3k3@example.org then I'd be suspicious. (I must remember to do this for new things I sign up to.)

This is similar in principle to the compromised address, which is why, despite the downvotes I'm getting elsewhere[0][1], I'm fairly confident that this isn't just a dictionary or a fishing attack, but a genuine leak. Other comments suggest that the leak my not be from LinkedIn themselves, but simply from their business model/systems leaking information.

[0] https://news.ycombinator.com/item?id=8367103

[1] https://news.ycombinator.com/item?id=8367296

In my case, both linkedin and tumblr e-mail addresses have been leaked somehow. It was definitely not a simple dictionary attack, based on the addresses I used.
Sure but I have a catch-all and I'm not receiving e-mails to twitter@mydomain, or facebook@mydomain. It's not impossible that spammers decided tumblr is particularly likely because they offer a version of the service in your domain but still pretty unlucky for tumblr.

I must remember to do this for new things I sign up to.

It is a good idea.

Yea they must have. I have a domain that is a catch all address and I have a bunch of tumblrs that are random things like hn3@email, hn4@email, derp@email, and all 10+ of them get the spam emails
Coincidentally, in the past two weeks - this week in particular I've been seeing a load of crap sent to my address registered with LinkedIn which is otherwise spam-free.

I'd guess it's related to LinkedIn or GitHub as this particular address is only publicly/semi-publicly used on those two sites.

I also had the same problem, I've received 2/3 spams to the linkedin address in the past two weeks and never received any before.

They are also passing the gmail filter which is quite impressive in itself.

How could you tell the difference from the regular LinkedIn experience?
I got spam after adobe got hacked... never received a single spam mail before. Wish Adobe had to pay for that! But I'm afraid to register at LinkedIn, because that means I'd to give the last remaining bit of privacy just to get a job. There must be another way to connect to the right people...
I am highlighting very dirty technique used by LinkedIn. LinkedIn mined my emails without my consent. I have four separate gmail accounts to keep things separate. I am 200 % sure I never linked other three gmail accounts on linkedin. LinkedIn used my current email id , went through all of my emails , matched it with other gmail accounts, mined other gmail accounts and started forcing me to accept contacts from mined data. Its very hideous way to increase member count. I now wonder is almost every San Francisco company is highly unethical ? Be it google , Uber, Yelp, LinkedIn on and on. Why american business can't be honest with their customers?
These companies are generally abusive to their 'users' because their real customers are different. Google and Yelp's customers are advertisers, who want access to your information and attention. LinkedIn's customers are obnoxious recruiters who want to farm your information and contacts.
I generally register to every service with a different email address. The main ones I get spam to are the ones for Adobe, Groupon, Lastfm, Linkedin and oddly Battersea Arts Centre.

Edit: That's based on a quick look in my spam folder, not anything statistically sound.

There are days in which I ponder what made LinkedIn a success. It was obviously not their UX.