Tag: LinkedIn

The Video-conference service Zoom and its Data Security issues

20. April 2020

Amidst the Corona crisis, the video communications service Zoom gained enormous popularity. The rate of daily Zoom users skyrocketed from 10 Mio in December 2019 to 200 Mio in March 2020. As it outshined many of its competitors, Zoom labels itself as “the leader in modern enterprise video communications”. However, the company has been facing a lot of public criticism because of its weaknesses in data security and lack of awareness in data protection matters.

Basic data security weaknesses unfolded little by little starting in March 2020:

  • Zoom had to admit that it was wrongly advertising to provide full end-to-end encryption for all shared contents like video, audio or screen sharing.
  • Security experts revealed several bugs that could have allowed webcam and mic hijacking and the theft of login credentials.
  • An online Tech Magazine reported that Zoom leaked thousands of their users’ email addresses and photos to strangers.
  • Video-conferences which users did not protect with a password, enabled “Zoombombing”, a phenomenon in which strangers hijacked videocalls and disrupted them by posting pornographic and racist images as well as spamming the conversations with threatening language. In response, Zoom introduced the Waiting Room feature and additional password settings.

At the same time, Zoom’s data privacy practices came under scrutiny:

  • Zoom shared web analytics data with third-party companies for advertising purposes without having a legal basis or notifying users about this practice. In response to criticism, Zoom revised its privacy policy and now declares that it does not share data from meetings for advertising.
  • The company also shared more analytics data of its users with Facebook than stated on Zoom’s privacy policy, even if the user did not sign in with their Facebook account. Zoom introduced an update in which this sharing is terminated.
  • The New York Times revealed that Zoom used a data mining feature that matched Zoom users’ names and email addresses to their LinkedIn profiles without the users knowing about it. Zoom then enabled automatic sharing of the matched LinkedIn profiles with other meeting members that were subscribers of a LinkedIn service for sales prospecting (“LinkedIn Sales Navigator”). In response to criticism, Zoom removed this feature permanently.
  • Zoom hosted a feature called Attention Tracking, which let the meeting’s host know when an attendee had clicked away the meeting window for more than 30 seconds. In the meantime, Zoom disabled the feature.

The security and privacy issues of Zoom have led various public authorities and companies internationally to ban their workers from using the service.

On 1 April 2020, Zoom’s founder and CEO Eric S. Yuan announced a 90-day plan to significantly improve their data security in an effort to build greater trust with their users. This plan includes freezing the introduction of new features, enlarge their cybersecurity team and engage outside help from security advisors.

LinkedIn was banned in Russia

27. January 2017

The Russian data protection authority “Roskomnadzor” sent on November, 17 2016 an order to the telecommunication companies to block access to LinkedIn within Russia. The reason for this step was, according to Roskomnadzor, that LinkedIn does not protect subjects’ data rights in a way that complies with the Russian data protection law.

The order of Roskomnadzor refers to a Moscow District court decision from August, 4 2016.

The case of LinkedIn is the first major test of the Russian law, which is on effect since September, 1 2015.

Roskomnadzor judges, that LinkedIn not only violates against the data localization requirement furthermore LinkedIn also violates a number of other requirements such as collecting personal data from non-users without their consent before they complete the registration process.

Now LinkedIn can take action against this decision within the six-month period to the Moscow Court and then appeal to the Russian Supreme Court. However, LinkedIn has not announced its intentions yet.

Microsoft acquires LinkedIn: privacy issues arise

16. June 2016

Early this week, Microsoft announced the acquisition of LinkedIn, a professional network with more than 400 million users. This makes LinkedIn to be one of the largest databases worldwide. The acquisition will allow Microsoft to have access to the professional profiles of LinkedIn users.

According to Microsoft´s CEO, Satiya Nadella, this operation will make possible that, for example, LinkedIn´s newsfeed shows articles related to the project the user is working on and on the other hand, Office may suggest professionals in LinkedIn who are experts in the task that is being completed at the time.

However, privacy related issues have aroused upon the acquisition, especially regarding the amount of personal data that LinkedIn processes. Dimitri Sirota, CEO of BigID, a customer data protection company, states that Microsoft should show that this acquisition “can enrich the software offerings from Microsoft in areas such as CRM, communication, productivity, etc.” He also remarks the importance of personal data management, so that there is no infringement of local data privacy legislations.

Software companies, such as Microsoft, gain marketing, sales and intelligence value through these kind of operations, but they also have to deal with privacy risk and compliance legislation.

In this scenario, LinkedIn should continue handling personal data as stipulated in its terms of service. This does not prevent Microsoft from signing a data transfer agreement with LinkedIn in order to have access to the data. Such access would allow Microsoft to analyze the personal data received.

Several IT-Security experts agree on the fact that data privacy and data protection should stay at the foreground.

Twitter: 32 million accounts may have been hacked and leaked

9. June 2016

Hackers may have used malware in order to gain more than 32 million Twitter login-data that are now presumable being sold on the dark web. However, a Twitter spokesman said that “We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”

LeakedSource, a site with a search engine of leaked login credentials, says that the respected data of Twitter contains 32,888,300 records consisting of email addresses, usernames and passwords.

Due to the provided information included in the respected data, for example the fact that passwords are displayed without encryption, LeakedSource stated that the data was collected by malware that has infected internet browsers rather than stolen directly from Twitter. In order to verify that the leaked data is valid, LeakedSource asked 15 users to verify their passwords. All of them confirmed that the passwords were correct.

However, Twitter stated that the hacking of accounts belonging to celebrities was due to the re-use of passwords that were leaked in the LinkedIn and Myspace breaches. A spokesman said that “A number of other online services have seen millions of passwords stolen in the past several weeks. We recommend people use a unique, strong password for Twitter”.

Whether or not the leaked data is valid, it is recommended to change passwords, not only when using the same password for several accounts.

LinkedIn: Hacker selling 117 million e-mail adresses and passwords

19. May 2016

In 2012 LinkedIn was hacked and 6.5 million encrypted passwords were posted online.

This data breach has now turned out to be far more extensive than originally thoght. This is due to the fact that a hacker called “Peace” is trying to sell account information of 117 million LinkedIn users, including their e-mail addresses and passwords.

The hacked data search engine LeakedSource, has also obtained the data. Although the passwords were originally encrypted, so that a series of random digits were attached to the end of hashes, in order to make them harder to be cracked, LeakedSource claims to have cracked 90 percent of the passwords in 72 hours.

The security researcher Troy Hunt, maintaining the breach notification site “Have I Been Pwned?,”talked to some of the victims of this data breach. Two of them confirmed that they were users of LinkedIn and that the password that Hunt shared with them was indeed the one they were using at the time of the data breach.

LinkedIn confirmed this week that the new data is legitimate:

The company’s chief information security officer Cory Scott stated that “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,“ and went on “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.“ Furthermore, Scott also suggested that in order to keep their accounts as safe as possible, members visit their safety center to learn about enabling two-step verification, and to use strong passwords.

Category: General
Tags: ,