On Tuesday Skycure Security reported that LinkedIn secretly sends detailed user iOS calendar entries to its servers. Collected data includes lists of meetings, subject, location and time of meetings, and personal meeting notes. The latter aspect is considered a little scary, as notes tend to contain highly sensitive information such as conference call details and passcodes.
"If you have decided to opt-in to this calendar feature in iPhone, LinkedIn will automatically receive your calendar entries and will continue doing so every-time you open your LinkedIn app," the company said in a blog. "Every time you launch LinkedIn’s app for iPhone, it automatically sends out all of your calendar entries for a five-days time frame. The meetings information is being collected from all the calendars on the iOS machine, thus possibly exposing information from both personal and corporate calendar accounts."
Later LinkedIn responded to the report, listing what the company does, doesn't and will improve on regarding its iOS app and the calendar service. LinkedIn stated that it asks the user for permission before accessing the calendar, and will continue to be an opt-in feature. It also admitted that calendar data is sent to LinkedIn servers via a secure SSL connection when the iOS app is launched "to be matched with relevant LinkedIn profiles of meeting attendees."
"In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles," the company said on Wednesday. "That information is sent securely over SSL and we never share or store your calendar information."
"In an effort to make that algorithm for matching people with profiles increasingly smarter we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes," LinkedIn added.
Adding to LinkedIn's stressful day, there are additional reports claiming that a Russian forum user has hacked LinkedIn and uploaded 6,458,020 encrypted passwords (without usernames) as proof. The passwords are encrypted with the SHA-1 cryptographic hash function that's used in SSL and TLS.
There's a possibility that the leak is just a hoax, but several messages spotted on Twitter indicate it's a real deal -- even Mikko Hypponen, Chief Researcher at F-Secure, believes it's a "real collection." There's also speculation that the hack was accomplished using some kind of exploit in LinkedIn's web interface.
"Our team is currently looking into reports of stolen passwords. Stay tuned for more," LinkedIn said on Wednesday.
Additional details regarding the hack are expected to arrive shortly.