Security researchers have today discovered that LinkedIn’s iOS iPhone, iPod Touch and iPad app has been gathering users’s calendar data and collecting and dispersing the data back to LinkedIn servers. without users permission.
If you have enabled the calendar sync feature within the app, then your name, emails as well as calendar events (CEO’s and corporations should stand up and take note – no pun intended) have been transmitted in plain text to LinkedIn’s private servers. Plain text? Ok, they are sending this over an SSL connection, but it appears a Russian hacker claims he has successfully stolen data from LinkedIn, and has uploaded 6.5m passwords (not usernames might I add – bit strange that the hacker only stole 6.5m when LinkedIn has over 100m users?) from the website.
It’s unlikely the hacker has access to the usernames, so the data breach although serious, isn’t as serious as first thought. Also, it’s not clear how the hacker managed to steal this data. Backend database breach? Anyway, I suggest you change your LinkedIn password right now.
How to disable the iPhone and iPod Touch calendar upload feature:
Open the LinkedIn iOS app on your iPhone > Select your profile (the “You” badge) > Tap the cog wheel icon in the top-right corner > Tap “Add Calendar.” > On the next screen, make sure “Add Your Calendar” is set to OFF.
How to disable the iPad calendar upload feature:
Open the LinkedIn iOS app on your iPad > Tap the cog wheel icon in the top-left corner > make sure “Show Calendar” is set to OFF.
UPDATE 7th June: LinkedIn has updated their iOS app to presumably alter the way their calendar sync feature collects data. The 5.0.3 update states that the changes include “miscellaneous bug fixes” and “improvements in calendar.”
Safe surfing folks!