[sparkywolf]

I found a vulnerability in linkedIn a few years back that allowed anyone to access a private profile (because client side validation was enough for them I guess..?)

They didn't take my report seriously (still not completely patched) and I feel like that told me all I needed to know about their security practices.

[john-radio]

I reported an issue to the LinkedIn competitor https://about.me two years ago where signing in with my Google credentials gives me access to some the account of some random other person with a similar name to me. I think that during registration, I attempted to register about.me/johnradio (except it's not "johnradio"), but he was already using it, and then the bug occurred that gave me this access.

I randomly check every 6 months or so and yep, still not fixed.

[skissane]

My gmail is my first initial followed by my last name. There are other people on this planet with same first initial and last name, some of whom seem to think that must be their email too, because I keep on getting emails where they used it to sign up for things.

[Spooky23]

I had a lady send me a zip file that contained a VPN client, certificate and a word document with usernames and passwords to the VPN and a number of industrial control systems at the factory she was a manager of.

She sent it religiously, every 90 days.

[drusepth]

Every few months I get scans of X-rays from random clients' teeth from some dentist in South America. I've tried so many times to respond and/or unsubscribe but never hear anything back.

[mirimir]

Do you have any clue who she thought you were?

[Spooky23]

Oh yes, she was emailing a copy of her stuff to “herself”.

[mirimir]

Seriously?

How the hell could she think that your email address was hers? I mean, wouldn't she notice that she never got the messages?

[_kwmj]

I faced the same problem (though my name is not at all very common). Banks, mobile companies never did anything even after I repeatedly told them on phone and Twitter (and have kept a record of it).

One day after I had received a person's bank, mobile statement and many other bills for few months I decided to call him (his number was easily visible in many emails) and inform him of his mistake. He turned out to be lawyer and he said he will "decide" what to do about it. And the next thing I know is he sent a carefully drafted email (as a legal notice) that I should hand over my email address to him without further delay and all that.

I didn't do that. I talked to a lawyer friend and he just told me to reply with a "G F Y" card. I didn't do that either. But that pushed me to finally move my emails to my personal domain as it was/is a Gmail account and if someone complained Google would have just terminated my account and I don't know anyone who works at Google.

[Ayesh]

That lawyer sounds like a douchebag. I super agree with your point too: I'm also slowly moving all my emails to my personal domain and it feels liberating.

[acangiano]

I get several on a weekly basis. It's amazing how many services do not verify emails and just trust their users to own the email they claim to own.

[layoutIfNeeded]

It’s a common “growth hack” to postpone email verification.

[williamscales]

Even more baffling are the ones who use it to fill out job applications.

[mrkstu]

I get bank statements, job offers, party invitations, and lately a bunch of lets say very questionable email verifications from euro 'dating' sites- I've identified the guy in the UK but its too much (and getting embarrassing now) to keep forwarding his stuff to him.

Downside of getting in early on popular email services.

[lazyasciiart]

I went through several rounds of conversation with somebody's wedding planner over email.

[skissane]

> but its too much (and getting embarrassing now) to keep forwarding his stuff to him

What amazes me is when I get misaddressed email, and I reply to say its misaddressed (and I'm not talking about automated services, I'm talking about obviously manually sent stuff), and my reply just gets ignored and the misaddressed email just keeps on coming.

[Already__Taken]

Somebody keeps phoning me and leaving messages. They don't answer their own phone (or messages clearly). I even have a sarky voicemail now, you'd think they'd notice. Nope!

Lady, whoever you think is going to be at that funeral isn't getting that message.

I've no idea if they'll get disconnected now as I've blocked their number. Hope so maybe they'll notice then.

[joncrane]

That's the most surreal, when you try to fix it and the behavior never changes.

[sjwright]

My gmail is two initials and last name, so theoretically less susceptible to such errors. Yet I get misaddressed mail all the time—and a surprising amount of it is job applications!

[hnick]

Trust me, I used my full first name, it's not enough to stop these people. One is a UK doctor, one is a US teacher, and I think there are one or two more. Been sent a few baby pictures from their relatives too.

[wreath]

This happened to me and I keep getting the guy's notifications on instagram and all. So annoying!

[john-radio]

Relevant xkcd: https://www.xkcd.com/1279/

[simonlc]

I actually had a similar thing happen with facebook, though we didnt share names.

[jonathankoren]

For a while, our Comcast billing account accessed some other person’s account. Comcast didn’t take it seriously, and just told us to create a new account and not use the old one. (!!!)

We had full access. I could have signed this person up for the most expensive package, or even canceled their service.

[mythrowaway1124]

Let's be realistic here. Everyone knows it's not possible to cancel Comcast service.

[klyrs]

I managed to cancel my dad's after he died. They STILL tried to upsell me! One of my favorite phrases ever uttered: "He's dead, you asshole, he doesn't need more channels!" And that actually did it. Felt sorry for the salesperson, who didn't have much of a choice in the matter...

[sjwright]

Surely by making it difficult to cancel they’re really just making it easier for people to get discounts. If I were a Comcast customer I’d be calling up to cancel every few months.

[a3n]

Nice one. However, I cancelled in person a couple years ago (because I had equipment to return).

The first thing I said at the counter was "I know it's really hard to cancel Comcast, and I'm not going to accept anything but a cancel."

The girl at the counter smiled and said "We know ..." and immediately cancelled my account.

[adjkant]

"Ah yes, cancelling requires a call because of security. A feature for the user!"

[kova12]

To be fair, internets would have been equally outraged if there wasn't such requirement, because sure as hell somebody would have found an exploit and cancelled a bunch of account, just for funzies

[dmw_ng]

I signed up for a disposable Gmail account using my real name at one point, and accepted the randomly suggested address it offered. Gmail loaded with someone else's obviously in use mailbox

IIRC I logged out again and back in, same thing, my credentials worked. Went back to it a few days later and the password no longer worked

[wizzwizz4]

Hash collisions most likely.

[ta999999171]

Have heard this so many times about Gmail...

How have they not resolved this?

[joncrane]

I think it's like EC2 instance IDs. When they first came up with it, they never thought there would be literally billions of unique email addresses/EC2 instances eventually.

[Ayesh]

I can only imagine about.me mass-creating profiles for names found on other web pages, and opening a way for someone to "claim" those profile with a matching Google account sign-in.

About.me's business model was quite unsettling to me and they have made little to no effort to protect the user data from scrapers.

[paulgb]

I had a similar experience. In 2014 I reported an issue where you could take over someone's account by adding an email you control to it and having them complete the flow by sending them a link (which, unless they looked very carefully, looked exactly like the regular log-in flow at the time - especially if they used a public email service and you registered a similar-looking account).

I tried it on a friend and it worked, but LinkedIn's response was basically "meh".

My life has only gotten better since I deleted LinkedIn a few years ago. I know I'm in a privileged position to be able to do that, but I strongly recommend everyone here consider whether what they gain from their account is worth the crap and spam they have to put up with.

[icebraining]

LI is terrible if you actually try to use it, but it's harmless enough if you just use it as a profile hosting service, where people are likely to look. I just auto-archive their emails and only visit the site a couple of times per year.

[adrianmonk]

While not good, what's the connection to this story?

The article says some LinkedIn data was scraped, but I don't see anywhere that it specifically says a LinkedIn security flaw was used in the scraping. Although it is vague about what data was scraped and how, so it doesn't preclude that either.

In other words, are you saying a LinkedIn vulnerability was exploited here, or suggesting that it probably was, or are you just mentioning LinkedIn because it's tangentially related?

[Ayesh]

I signed up for an API key to see what they have on me, and the data it returned looks awfully close to what I have on linked in.

[robbya]

A few years of heads up is sufficient to disclose publicly. Full disclosure helps keep companies honest about security.

[stopadvertising]

I deleted my linkedin a few years back when they had some bug where I would randomly get page views as some other person, with all their connections and account details and whatnot. It would only last a few minutes then switch me back to my account, but they aggressively ignored my attempts to reach out to them about this bug so I just gave up.