Blog Post

LinkedIn is “breaking into” user emails, spamming contacts – lawsuit

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

In a damning class action complaint, LinkedIn(s lnkd) users are accusing the company of “tunneling” into their email accounts in order to repeatedly spam anyone who has ever had had contact with them.

The complaint, filed this week in Los Angeles, accuses LinkedIn of violating laws related to hacking, wire-tapping and false endorsements. Users say the social network’s marketing practices have given rise to fear and embarrassment as a result of emails sent to business associates, ex-spouses and, in one instance, a mentally ill former contact.

The claims draw attention both to email privacy rights, and to the tactics underlying LinkedIn’s aggressive growth strategy.

Update: LinkedIn has responded with a blog post that states, “Claims that we “hack” or “break into” members’ accounts are false.”

“Breaking into” email accounts

According to the complaint, LinkedIn prompts users to enter an email address, and then uses the information to download every account from a user’s account such as Gmail or Yahoo. LinkedIn is allegedly able to do this so long as the user are logged into the email provider; if they are not, LinkedIn suggests they log-in:

users sign up for LinkedIn they are required to provide an external email address as their username and to setup a new password for their Linkedln account. LinkedIn uses this information to hack into the user’s external email account and extract email addresses. If a LinkedIn user leaves an external email account open, LinkedIn pretends to be that user and downloads the email addresses contained anywhere in that account to Linkedln’s servers. Linkedln is able to download these addresses without requesting the password for the external email accounts or obtaining users’ consent.

LinkedIn does not require the password to the email account, but is nonetheless able to download not just an “address book” but any address ever sent or received. The complaint says the tactic was a deliberate strategy by LinkedIn to add users and make money, and cites a former engineer who boasts of “hacking.” Here are screenshots (the engineer’s profile is still up here)

LinkedIN screenshot

Screenshot linked in hacking

LinkedIn has told Bloomberg, which reported the complaint, that the lawsuit is without merit.

Thousands of invitations

The heart of the complaint involves LinkedIn’s practice of encouraging people to invite others to their network when they sign up with the service or, if they’re existing members, to expand their network.

If a user agrees, LinkedIn sends out an “invitation to connect” to all of the user’s contacts. If the contacts don’t respond, the service then send outs out two more reminder emails.

According to the complaint, the LinkedIn sign up process is deceptive and doesn’t clearly inform users that it will “spam” their contacts. The plaintiffs are a former ad manager for the New York Times, a professor, a lawyer and a movie producer. Their complaint, which is a request to sue on behalf other LinkedIn users across America, also object to the fact that LinkedIn does not provide an easy way to retract the multiple follow-up invitations.

The complaint also claims that LinkedIn often emails thousands of messages without disclosing it will do so:

Since Linkedln routinely takes well over 1,000 email addresses from a user’s external email account, it displays only a very small fraction of those email addresses on the “Why not invite some people?” screen.

The practice has given rise to hundreds of complaints on LinkedIn’s own website, says the claim, from people who accuse the company of sending spam, and putting them in embarrassing personal and professional situations:

I’m not the only one being hacked by linkedin, but extremely upset at the repercussions. one of the people on my contact list is mentally ill and the last thing I wanted was to invite her to be my connection on linkedin.

The lawsuit says the practice amounts to a violation of the Wiretap Act, the Stored Communications Act and a variety of California privacy and right of publicity laws. The suit seeks millions in damages, in part by noting that, on LinkedIn’s own pricing scheme, it costs $10 to send an email to someone with whom a user is not connected.

A growth strategy for LinkedIn

LinkedIn’s aggressive email solicitations are part of a strategy to boost revenue by increasing its user base, according to the complaint. The increase in users allegedly makes it easier for the company to pull in more money from its three revenue sources: selling its database to job recruiters; advertising to users; selling premium accounts to subscribers.

LinkedIn is not the only company that has come under fire for using invasive tactics to grow its user base. Path, a photo-based social network, has been criticized for scraping users contact lists in order to send messages to promote the app.

LinkedIn, meanwhile, has long been a hit with investors though in, recent months, the media has expressed more skepticism with stories like “All LinkedIn with Nowhere to go.”

Here’s the complaint. I’ve underlined the key legal bits and some of the juicy stuff:

LinkedIn Hacking

[protected-iframe id=”d57f923ee704c2f444601a3e7e9494ae-14960843-34118173″ info=”//” width=”100%” height=”600″ frameborder=”0″ scrolling=”no”]

47 Responses to “LinkedIn is “breaking into” user emails, spamming contacts – lawsuit”

  1. LinkedIn is also running some sort of endorsement scam that generates bogus messages all I believe for the purpose of driving advertising and users to their site. However the endorsements are not legitimate they are some sort of robot generated for the purpose of driving advertising revenue.

  2. LinkedIn victim

    The LinkedIn feature implies that it will upload your contact list from a specified account and then let you choose with whom you’d like to connect on LinkedIn. Instead, they just send an invite to everyone in the contact list or with whom you have exchanged email. I fell for this with my gmail account and now have LinkedIn connections that think I wanted to connect with them professionally – for example the salesman at the garage door company that sold me a new door mechanism with whom I had scheduled the appointment using gmail. It is not “hacking,” but they do mislead you and then spam or your contact list.

  3. I knew this problem over two years ago, when I received emails to join LinkedIn from people that I never had good relationship with, but had emailed them because of work.

    Hence …..I never joined !

    All accounts and electronic message servers will hack you.
    Is everyone that trusting and naive ?

  4. I contacted them over a year ago to ask if they were reading my e-mail. I asked multiple times but only got vague responses. There was no way to connect some people to me EXCEPT for the fact that I had received an e-mail from them. And yet LinkedIn was trying to connect us. I stop using them because I KNEW they were reading my e-mail.

  5. Now hopefully we will receive less spams from linkedin. Linkedin is guilty here and should be punished. It send such spam invitations on the name of my friends without my friend knowing it!

  6. Raz Chorev

    To claim damages, aren’t you required to prove you suffered damages first? I couldn’t see how the plaintiffs suffered anything other than potential inconvenience? Did I miss something?

  7. Clare Easton

    Unfortunately this is not a load of rubbish. I gave it access to my hotmail to see I old Uni friends were on there. After that my account sent out hundreds of requests to people I had never heard off and never met or just people I or my colleagues had worked with but not met. I didn’t understand how but it appeared to be harvesting emails from not just my outlook but my colleagues outlook. It was sending requests to complete strangers not sometimes not even in my industry. I was so embarrassed. It made my look like I was just adding anyone it everyone and it appeared rude to add people I had indirectly worked with but not met. I eventually found the page where I could delete all the requests it had sent out and hit delete to work out all I had done was to remove the message on my side of the request. I late found a button to retract the request but it was too late really. What surprised me if nothing else was that a surprising amount of these stranger clicked add even though I had no idea who they were, and visa versa. I am pleased a court case is going through about this as for me it was hugely embarrassing and I was struggling to make head and tail of it.

  8. Kari Tervo

    This is not a valid sentence: “One of the people on my contact list is mentally ill and the last thing I wanted was to invite her to be my connection on linkedin.”

    That is a bigoted sentence containing dangerous ideas. What is this “mentally ill” blanket certain people love to use as shorthand to identify someone as dangerous? Millions of Americans have mental illnesses, or will in their lifetime. Or, they’ll know a loved one, friend, co-worker, or neighbor with one. Only a small portion of them are ever violent. Painting people with mental illnesses as dangerous is lazy at best, lacking in compassion certainly, and hateful at its core. Say what you really mean–be specific. Has this person made threats to you? Or do you just assume people with mental illnesses are dangerous? Or maybe this person’s symptoms simply confuse or annoy you, and it’s easier to only interact with “normal” people?

    “Mental illness” is not the same thing as “danger.”

    If you wouldn’t want to connect with someone simply because they have a “mental illness,” you’re in league with racists, misogynists, and homophobes. Mental illness stigma is bad enough without people refusing professional contacts with someone on the basis that they have a mental illness (which, in some cases, could fall under federal disability discrimination law). Let’s make life better for people who struggle with mental illnesses, not worse.

    There are plenty of valid reasons not to want to connect with someone on LinkedIn. “She has a mental illness” is not one of them. Please stop selling bigotry against people with disabilities as valid professional logic, which was done at least twice in this article.

    Kari Tervo, Ph.D.
    Licensed Clinical Psychologist

  9. Nunya D. Bizness

    and we wonder why groups like autonomous do what they do. i wonder how the NSA’s misuse of the internet’s safety protocols contributed to these outrages? for those that believe paranoia is an illusion…

    it is a shame that we as an ‘evolved’ species will do just about anything to our fellow man for the sake of money and power. but that shame is only outdone by the fact LinkedIn and companies like it will be met with only a slap on the wrist and the vast majority of their users will continue to use their service for its ‘convenience’

    i also find it quite interesting even this site offers to share its content via linkedin…how ironic

  10. Fred Snyder

    They don’t “hack” your email account, you GAVE them access when you put in your email address and password. Morons! Just because something happened on your computer that you did not intend to happen, does not mean you got hacked. I have never given them my password (cause I’m not an idiot), and they don’t email people listed in my email contacts/inbox. Pretty funny when the suckers start talking about selling bridges…

    Some of you are about as bright as a burnt out 2 watt light bulb.

    • Yeah. Remember that argument when your house-sitter keeps a copy of your keys that you lent them for the specific purpose of accessing your home for an agreed purpose, and uses their copy to break in later without your permission in a different context for which they do not have your permission. Remember, it’s not really burglary if you *gave* them your keys and everything. That means they can de facto come back whenever they want. Without telling you. And make it seem as if it was your idea.

      What is it with people that choose not to see the obvious? You either work for LinkedIn, are exceptionally dumb, or both.

  11. JustSomeHuman

    I have another explanation for at least some of these spam emails. I have received numerous “Invitations” from individuals who have published scientific papers that have included my name and often email address. Anyone crawling through PubMed could harvest email addresses and link them to co-investigators.

  12. Charles Caro

    What those complaining always conveniently forget to mention is they explicitly gave their email address password to LinkedIn knowing they were about to send invitations to people listed in their email address book. The suit is completely baseless because LinkedIn cannot be held responsible when its members fail to actually read and understand what they are doing before clicking to proceed. The users may not recognize all of the names on the invitations sent because the “default” setting for most email clients is to “save” the email address for *all* inbound messages regardless of whether or not the user “replies” or moves the message to the “junk” folder. Even though the feature is very poorly designed and implemented the LinkedIn always has the option to not open their email address book, which would always be the “common sense” thing to do on the Internet.

  13. Linkd In NOT

    L M A O! One day you lemmings will wake up, rub your two brain cells together, and realize that the social media wanks got you to populate huge databases for them which they sold over and over for billions – while destroying your privacy and shaping an errant and damaging identity of you. Oh yeah, and many of you had your information hacked as well. LOL!

  14. Reblogged this on skatterbOt and commented:
    BetaJuliet: Is it just me, or is signing up for email or career networking now the equivalent of giving strangers the thumb’s up to rifle through your underwear drawer? We understand you hosted the party, but the casserole was for everyone, not just you. Is social media taking a mile when they’re only entitled to an inch? Can we do anything about it? Should we go back to semaphore code? Does anyone remember semaphore code?

  15. Oh shit! Glad I stopped using that shitty site years ago, its just a head hunter troll site. Should be renamed to trolledIn. All those “hacks” they used to claim were from outside sources were problem them covering up. Haha, can’t believe people invest money on this trolledIn. Fuck, I have a bridge for sale that I think you want to see.

  16. Does LinkedIn primarily make their money thru Ads, if so what do you expect a Ad revenue company to do. The customer is the product, to be sold to the highest bidder,
    similar to Google farming Free Gmail accounts for information. Your privacy isn’t their concern.

  17. Scott Stadum

    I’ve seen people that have just emailed me, that aren’t a first or second tier contact and definitely not in my address book show up immediately in LinkedIn as a suggested connection. For example, company reps using their company email address.

    • nickcorcodilos

      Yah, I agree. LinkedIn has become a load of rubbish. LinkedIn does NOT make it clear what it is requesting. Let’s see what the court thinks. LinkedIn is useful, but only to the extent that it’s a very good electronic phonebook. The rest is a scam of epic proportions. If you don’t realize all LinkedIn wants is to sell personal data, then I’d like to sell you a keyword for $100 (six for $500).

    • Bryan Ruby

      I’m not so sure it is rubbish. I think the heart of the matter is it wasn’t quite clear what you were allowing LinkedIn when you made the “choice” to share your email contacts, so you can connect on LinkedIn with other professionals. I’ve been bombarded with a ton of people accepting my invitation to connect when it was not my intention to connect with half these people.

      Regardless, of whether the “sharing” of email contacts was clear or not, I find it extremely unclear how to “unshare” my list of email contacts LinkedIn now has.