LinkedIn leaks password hashes, iOS app is scraping your meeting notes [UPDATE x2]
It's not a good day for the social network for professionals. Recently, someone posted about 6.5 million password hashes on a Russian hacker forum; it looks like many or most of those came from LinkedIn. Hashes themselves are not enough to grant a bad guy access to your LinkedIn account, but if your password is found in any dictionary or list of common passwords, it's going to be cracked. Go ahead and change your LinkedIn password now -- then we'll get to the other LinkedIn news.
Last April, LinkedIn finally got around to rolling out an iPad app. Truthfully, the iPad app leaves a lot to be desired. It's not nearly as good as LinkedIn's iPhone app. However, both apps share a new feature that lets them sync with iOS calendars, thus allowing users to view upcoming events inside the LinkedIn app itself. The only problem appears to be, as the New York Times reports, that LinkedIn is collecting a user's meeting notes and sending them back to LinkedIn's servers.
Why this is a big deal -- and why every LinkedIn user should be furious about this -- is because it's a major breach of privacy, it's against Apple's privacy guidelines, and nowhere is it stated in the app that enabling calendar sync will send any event notes back to LinkedIn servers.
As the New York Times points out, many people include confidential notes in a calendar event. For instance, a CEO might have a calendar event for a meeting in which, in addition to the time and place, he also might have written down the corporate call-in number along with its passcode and the company's confidential financial highlights in the notes. Also, LinkedIn's calendar sync doesn't just upload your business calendars to LinkedIn's serves, it uploads your personal ones as well. So if you have a calendar event for a private medical appointment and make a note on the event saying, "Ask doctor about the lump I found," that's on LinkedIn's servers, too.
LinkedIn spokesperson Julie Inouye told the New York Times the company's "calendar sync feature is a clear 'opt-in' experience...We use information from the meeting data to match LinkedIn profile information about who you're meeting with so you have more information about that person." She also noted that user's iOS calendars only sync when the LinkedIn app is open and that users could opt out of the calendar feature at any point.
There are two problems with this answer: One, it doesn't explain why users weren't notified their private notes were being uploaded to LinkedIn's servers, and two, it doesn't address whether a user's calendars and notes are deleted from the servers when a user who has opted in opts out, or if the already-uploaded events and their notes remain on LinkedIn's servers forever.
Until LinkedIn rectifies this (or Apple steps up to the plate and pulls the app until it's rectified) there's little a user can do if they've already opted in to LinkedIn's calendar sync. However, those who have opted in can still opt out, and thus at least prevent future entries from being uploaded to LinkedIn's servers, by doing the following:
On the iPhone
- Open the LinkedIn iOS app on your iPhone.
- Select your profile (the "You" badge).
- Tap the cog wheel icon in the top-right corner.
- Tap "Add Calendar."
- On the next screen, switch "Add Your Calendar" to OFF.
On the iPad
- Open the LinkedIn iOS app on your iPhone.
- Tap the cog wheel icon in the top-left corner.
- Switch "Show Calendar" to OFF.
- We do not store any calendar information on our servers.
- We do not share or use your calendar data for purposes other than matching it with relevant LinkedIn profiles.
- We do not under any circumstances access your calendar data unless you have explicitly opted in to sync your calendar
We Will Improve:
- We will no longer send data from the meeting notes section of your calendar event.
- There will be a new 'learn more' link to provide more information about how your calendar data is being used."
UPDATE 2: LinkedIn has updated their iOS app to presumably alter the way their calendar sync feature collects data. The 5.0.3 update states that the changes include "miscellaneous bug fixes" and "improvements in calendar."
LinkedIn is also secretly collecting a user's meeting notes and sending them back to LinkedIn's servers.