LinkedIn halts Sell Hack plugin revealing email addresses

Sell Hack has suspended functionality to reveal LinkedIn email addresses in response to a cease-and-desist order

Browser plugin Sell Hack has suspended functionality to reveal LinkedIn members’ email addresses after the professional networking firm issued a cease-and-desist order.

The plugin, which is available for Safari, Firefox and Chrome, features a Hack In button designed to help salespeople uncover hidden email addresses on social profiles.

“Anytime you go to a Social profile page, you'll see a Hack In button. If you click the button, we'll start to run the profile against our data sources,” explains the Sell Hack website.

Despite Sell Hack claims that all data is publicly available and that it was not doing anything malicious, LinkedIn decided to take legal action.

The professional networking firm has been quick to take action on privacy issues since stolen passwords were revealed after a data breach in June 2012 that cost more than $1m to investigate and remediate.

In January 2014, LinkedIn filed a lawsuit aimed at identifying hackers who used Amazon's cloud computing service to bypass security measures and copy data from member profiles.

"We are doing everything we can to shut Sell Hack down. On 31 March LinkedIn's legal team delivered Sell Hack a cease-and-desist letter as a result of several violations," a LinkedIn spokesman told the BBC.

"LinkedIn members who downloaded Sell Hack should uninstall it immediately and contact Sell Hack requesting that their data be deleted," he said.

LinkedIn warned users to “use caution" before downloading any third-party extensions or apps because some, like Sell Hack, are able to upload private LinkedIn information without explicit consent.

According to independent security analyst Graham Cluley, Sell Hack did not actually hack LinkedIn profiles to reveal the email addresses associated with them.

“Instead, Sell Hack made use of publicly available information on the net combined with ‘best guesses’ to determine the likely contact details for an individual,” he wrote in a blog post.

LinkedIn has confirmed that no LinkedIn data has been compromised and Sell Hack is not the result of a security breach, bug or vulnerability.

Sell Hack has confirmed receipt of the cease-and-desist letter from LinkedIn and said the plugin no longer works on LinkedIn pages.

“We only processed publicly visible data from LinkedIn based on your profile permissions…all of which has been deleted,” Sell Hack said in a blog post.

The creators of the plugin denied they were “sneaky” and “nefarious”, claiming instead to be “dads from the Midwest who like to build web and mobile products that people use”.

The Sell Hack team also promised to build a better product that does not conflict with LinkedIn’s terms of service.

Cluley said the Sell Hack Team would do well to be a little more transparent if they release new versions of the tool, and be clearer about what they are doing and what they are not doing, if they want to gain the trust of internet users.

“It remains to be seen if LinkedIn will ever look kindly on a service which put a Hack in button every one of their over 200 million active user accounts,” he said.

Read more on Privacy and data protection