You know what's funny? LinkedIn is supposed to be a 'professional' social network (Microsoft owned) and a friend of mine was asked to add a phone number 'For security purposes'. I knew this was suspiciously involving 2FA SMS + a bonus of spam callers and I told him to press "Not Now". Whilst the world is moving to U2F and time-sensitive codes, a security system using SMS 2FA is now equivalent to a single PC running Windows XP in a bank.
But its not just LinkedIn. Its a huge list of major companies including some FAANG ones too. Oh dear.
Yes, I remember when LinkedIn was tricking people into spamming everyone in their contact list on their phone and using the information to suggest connections. A coworker was fooled and sent out invitations to everyone in his massive contact list. He was in sales for over 40 years and was mortified, then pissed off.
I refuse to install the LinkedIn apps on my devices. Microsoft didn’t help matters when they integrated it into Outlook.
Agree. The number of times I've received LinkedIn emails from people I no longer speak to who I'm confident would have no actual inclination to connect with me is certainly in the double digits. They've all been conned into giving LinkedIn their email password, and LinkedIn is going crazy as result.
This probably happened a lot more a few years ago. Is perhaps 2FA making this harder these days?
LinkedIn is absolute scum in that regard. They pestered me for my number for ages until eventually they finally implemented TOTP 2FA which I then enabled.
They still ask for a phone number when applying to jobs through their platform. I always put zeros or random digits in the field and put the real one in the resume.
I still use LinkedIn b/c well it's the market leader.
However I do have one thing to vent about: LinkedIn uses a phishing technique after you're logged in by showing you your email address and then a password field which makes it very easy for you to mindlessly input your email password (as they want) so they can spam all your contacts.
I've been saved from this mistake many times by having different LinkedIn and Gmail passwords, but this really shouldn't be acceptable...
> prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising
Facebook is not alone in misuse or wrongful use of phone number given for 2FA. LinkedIn explicitly requires phone number to be added on the profile to enable 2FA and makes the phone number visible by default to all the contacts, if you don't want your phone number visible; you'll have to loose 2FA as LinkedIn doesn't support authenticator or other alternate 2FA means(FB does).
I came to know this as after I enabled 2FA on LinkedIn, I started receiving messages from random people on WhatsApp whom I later found to be my LinkedIn contacts.
Holy fucking shit Batman! Assuming I read this correctly LinkedIn will now have access to all of your emails, your email credentials, and will now have the ability to both spoof your email, and MITM all incoming mail (banking etc). I was actually impressed at some of the little hacks they found, until they dropped this on me halfway through the blog. My jaw hit the ground.
This is probably the most blatant disregard for privacy and security for the smallest possible benefit that I have ever seen. Well, next to giving LinkedIn the password to your email so that they can spam your friends and hack your account.
Everyone needs to stop using this piece of shit service. They're incompetent and malicious. LinkedIn is the Zynga of HR. I'm gonna go buy some puts.
I realize maybe a minority of HN even remembers this, but at some point ~10 years ago, LinkedIn would agressively spam your contacts lists. If you logged in on your phone they would somehow get your phone contacts. When you signed up they had you log in with your email address, and then would try to get you to spam your entire contacts list there too.
I think web integrations have gotten locked down since then.. not for altruistic reasons, but because Google and Apple don't want to give Microsoft access to the data they have on you, so yeah, it's at least harder to accidentally give LinkedIn access to your contacts list now, but the damage has already been done for a lot of people
It isn't that they are stealing credentials on behalf of users; even today the UI is confusing and too verbose. It's clumsy. It's like reading credit card statements with tiny fonts. I am very caution about what I do on a web service but LinkedIn bit me once. If you happen to did one step wrong (even when you thought you override that decision already), LinkedIn will somehow send invite to everyone. Whatever the step might be or whatever bug there is. Just plain annoying. And this happens to many LinkedIn user on planet earth.
On (1), I have seen employees get spear-phishing texts (Welcome X! This is the CEO of Y. I need you to do a small favor…) within hours of updating their LinkedIn. I assume there are robots crawling it constantly looking for fresh candidates for account takeovers or other scams.
But its not just LinkedIn. Its a huge list of major companies including some FAANG ones too. Oh dear.
reply