LinkedIn's iOS App Leaks Personal Data in Plain Text While Its Passwords Get Hacked

By Jamie Condliffe on at

The Next Web is reporting that LinkedIn's iOS app collects personal data from its calendar — without explicit consent — and sends it back to the company's servers in plain text. If that wasn't enough to ruin LinkedIn's day, 6.5 million passwords have also been hacked.

Users must opt-in to a feature which allows them to view calendar information from within the LinkedIn app, but once that choice is made the user is not notified of the fact that their personal data — including a meeting's title, organiser, attendees, meeting times and notes — are being transmitted across the internet as plain text. Fortunately that means that if you haven't chosen to use the feature, your data is completely secure, unless your password's been hacked, of course.

The app issue was identified by Skycure Security researchers Yair Amit and Adi Sharabani, who will be presenting the discovery at the Yuval Ne'eman workshop in Tel Aviv later today. It raises some questions about whether LinkedIn's app abides by Apple's privacy guidelines.

According to LinkedIn spokeswoman Julie Inouye speaking to the New York Times, the data is used to coordinate information across multiple users:

"We use information from the meeting data to match LinkedIn profile information about who you're meeting with so you have more information about that person."

However, it remains unclear why LinkedIn needs so much data. To accomplish the outcome which Inouye describes, the company should only need a user's unique identifier to feed each attendee the correct information. It currently remains uncertain what LinedIn or Apple intend to do about the problem on the app front.

The Next Web is also reports that a large number of its user accounts have been compromised too, with 6.5 million hashed and encrypted passwords reportedly leaked. You should change your password, and quick. [The Next Web, New York Times]

Image credit: nan palmero from flickr