A friend of mine received the following email on Friday, 2 full days after the LinkedIn attack was made public, titled “Important update regarding your LinkedIn password”. Here’s the text she received, addressed to her by her first and last name:
[see UPDATE below]
We recently became aware that some LinkedIn passwords were compromised and posted on a hacker website. We immediately launched an investigation and we have reason to believe that your password was included in the post. To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event. While a small subset of the passwords was decoded and published, we do not believe yours was among them. The security of your account is very important to us at LinkedIn. As a precaution, we disabled your password, and advise you to take the following steps to reset it. If you reset your password in the last two days, there is no need for further action. 1. Type http://www.linkedin.com/settings directly into your browser 2. Type in your email address and press Sign In, no password necessary 3. Follow the on-screen directions to reset your password Note: Do not reuse your old password when creating your new password. If you have been using your old LinkedIn password on other sites, we recommend that you change those passwords too. We appreciate your immediate attention to resetting your password and apologize for the inconvenience. Thank you,
The LinkedIn Team
A couple of observations:
- Doesn’t it look and read like a spam message? One long, run-on paragraph? Others have posted the same email, but their version has nice paragraphs. My friend forwarded me her actual email, and no paragraph marks were in it. Weird.
- It doesn’t matter whether “email logins associated with the passwords have been published” or whether LinkedIn has NOT “received any verified reports of unauthorized access to any member’s account as a result of this event“. Maybe the attackers haven’t published the email logins and kept them to themselves; maybe the attackers accessed accounts, but no one has discovered it yet. No everyone uses their LinkedIn account on a daily or even monthly basis.
- If my friends password wasn’t compromised, why did they reset her password? Why didn’t they reset mine? Or are they still working on everyone who’s last name starts with A thru D? Evidently, the security of my account doesn’t bother them as much…
- Did you catch the “2. Type in your email address and press Sign In, no password necessary.” I don’t understand this at all. There must be some verification after the sign-in, otherwise what would keep me from changing someone else’s password? I’ll follow up with my friend and she what she did.
Who else received an email like this?
LastPass has a tool to check whether your LinkedIn password was posted. I’m not vouching for it, and I don’t suggest you enter YOUR password, but assuming it’s legit, you can check to see what stupid passwords people used, like “john316”. Whether it’s legit or not, the marketing folks at LastPass have a bonanza going!
I talked to my friend, who said her password was NOT disabled. She logged in with her existing password and then changed it. Based on this, the fact that the above email contained a link when LinkedIn said such emails would not (see #2 here), and the “no password necessary”, I am strongly suspecting the above email was not sent by LinkedIn.