LinkedIn privacy scare: 6.5M passwords leak, iOS app scraps meeting notes

Today’s a bad, bad day for LinkedIn and a field day for privacy advocates around the world as someone has just managed to leak over 6.5 million hashed and encrypted LinkedIn passwords on a Russian hacker forum.

What are you waiting for, change your LinkedIn password now!

On top of that, the LinkedIn for iOS app, which was recently updated with iPad support, has an opt-in feature that lets you synchronize your iOS calendar to view upcoming events inside the app.

But similar to the unauthorized Path address book access, this feature sends your meeting notes to LinkedIn’s servers without you ever knowing it…

Update: LinkedIn just pushed a 5.0.3 update to their iOS app that sports “miscellaneous bug fixes” and “improvements in calendar”, presumable altering how the calendar sync feature collects your data.

As for the password breach, you’re advised to change your LinkedIn password right now. Log in to the LinkedIn interface on the web, mouse over your name in the upper right hand corner and choose Settings from the drop-down menu. From there, hit the Change Password link from the right hand column.

Don’t downplay the password breach.

Security expert Graham Cluley advised everyone in an interview with BBC to change their LinkedIn password, noting that “if you use the same password on other accounts, change it there too” so do act now rather than take his advice lightly.

Responding to the password leak, LinkedIn wrote on Twitter that it is “looking into reports”. Another tweet has it that their team was “unable to confirm that any security breach has occurred”.

Nice job, LinkedIn!

Now, onto the meeting notes sharing woes, reported by The New York Times earlier this morning.

The company took to its official blog to respond to this issue:

You may have seen a few press stories highlighting concerns about how your data is used in the opt-in calendar feature of our mobile phone apps. We deeply care about our members trust so I want to provide clarity around what we do, don’t do, and outline ways we are going to make a great feature even better.

A douchebag explanation like this brings to memory LinkedIn’s infamous past practice of spamming your contacts via email to join the service.

If anything, this will teach them to double down on its users’ privacy.

The company even confessed in the blog post that “in an effort to make that algorithm for matching people with profiles increasingly smarter we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes”.

That’s a hell of a lot of private data shared with LinkedIn. It would have been much better if the app told users in advance about the types of data being shared with LinkedIn rather than just mention the generic term “calendar”.

As it is now, no wonder a bunch of people have been mislead into thinking only calendar entries are being shared and nothing esle.

I don’t know about you, but the fact that meeting participants’ email addresses are being shared should have been communicated better in the first place.

It is important to note that this calendar-related issue does not affect every user of LinkedIn’s iOS app. Instead, you would have had to opt-in to calendar sharing to have your meeting notes uploaded to LinkedIn’s servers without your explicit consent.

Apple on its part certainly needs to do a better job of creating better mechanisms to force third-party apps to seek a user’s explicit permission before accessing any data on your device.

We’ll have to tap through a few more dialog boxes, but the repercussions of having your device data uploaded to a shady server without you even knowing it are potentially much worse.