LinkedIn makes it too easy to leak contacts' email addresses

Filed Under: Privacy, Social networks, Spam

LinkedInEarlier this week my colleague Pablo Teijeira, who is based in our Madrid office, unintentionally shared the email addresses of some of his associates in the computer security field.

We all know how easy it can be to accidentally cc: a whole bunch of people rather than bcc: them, but in this case LinkedIn was at least partly to blame.

No great harm was done on this occasion, but Pablo was still upset that the incident had occurred.

So, why did it happen?

It turns out it's because of a setting that LinkedIn uses when you share information with others on the business network, that you have to consciously opt-out from.

LinkedIn dialog box

See there at the bottom?

[X] Allow recipients to see each other's names and email addresses

It's easy to overlook, as Pablo did, and when he tried to do a colleague a favour by suggesting them as a contact to a wide array of associates he mistakenly also revealed all of their email addresses to each other.

I know I would have been miffed if someone had revealed the email address I use on LinkedIn to such an audience.

That's because, the email address which I use on LinkedIn is not one that I use for any other purpose. I intentionally gave LinkedIn a unique email address, because I was interested to see if that email address would ever be shared with any other service without my permission - so allowing other LinkedIn users to reveal it to strangers is not something I look kindly upon.

I can understand that LinkedIn wants as many of its members to discover each other as possible, but having an option like this doesn't help you keep your email address private. I would like LinkedIn to change its default, so this option isn't enabled as standard.

In fact, I would like it if I could be the one who chose if someone else can reveal my LinkedIn email address, rather than leave it to the person forwarding the message. Shouldn't there be a privacy setting to always keep information like this secret?

PS. If you're a Spanish reader you might want to read Pablo's Teijeira's blog or follow him on Twitter for your Spanish-language security fix.

, ,

You might like

2 Responses to LinkedIn makes it too easy to leak contacts' email addresses

  1. Jon Etkins · 1640 days ago

    I use unique addresses everywhere - even when leaving this comment. Most email servers allow you to append anything you like after your address and a plus sign, such as joe I append a brief form of the site's name. If one of my myriad virtual addresses starts getting spammed, this technique allows me to identify the source of the leak, and I can simply blacklist that address and continue on without having to worry about changing my address everywhere else.

  2. Mike Fuller · 1640 days ago

    That is all well and good, but don't you think that a spammer with half a brain cell would just add an extra line of code to remove anything from the plus sign to the at sign before emailing. Thus totally removing your blacklist as a good way to prevent the spam. The major problem with that feature is everyone knows about it.

    I am going to check my linked in email address right now. Thanks for the heads up.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley