A friend of mine received the following email on Friday, 2 full days after the LinkedIn attack was made public, titled “Important update regarding your LinkedIn password”. Here’s the text she received, addressed to her by her first and last name:
[see UPDATE below]
We recently became aware that some LinkedIn passwords were compromised and posted on a hacker website. We immediately launched an investigation and we have reason to believe that your password was included in the post. To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event. While a small subset of the passwords was decoded and published, we do not believe yours was among them. The security of your account is very important to us at LinkedIn. As a precaution, we disabled your password, and advise you to take the following steps to reset it. If you reset your password in the last two days, there is no need for further action. 1. Type http://www.linkedin.com/settings directly into your browser 2. Type in your email address and press Sign In, no password necessary 3. Follow the on-screen directions to reset your password Note: Do not reuse your old password when creating your new password. If you have been using your old LinkedIn password on other sites, we recommend that you change those passwords too. We appreciate your immediate attention to resetting your password and apologize for the inconvenience. Thank you,
The LinkedIn Team
A couple of observations:
- Doesn’t it look and read like a spam message? One long, run-on paragraph? Others have posted the same email, but their version has nice paragraphs. My friend forwarded me her actual email, and no paragraph marks were in it. Weird.
- It doesn’t matter whether “email logins associated with the passwords have been published” or whether LinkedIn has NOT “received any verified reports of unauthorized access to any member’s account as a result of this event“. Maybe the attackers haven’t published the email logins and kept them to themselves; maybe the attackers accessed accounts, but no one has discovered it yet. No everyone uses their LinkedIn account on a daily or even monthly basis.
- If my friends password wasn’t compromised, why did they reset her password? Why didn’t they reset mine? Or are they still working on everyone who’s last name starts with A thru D? Evidently, the security of my account doesn’t bother them as much…
- Did you catch the “2. Type in your email address and press Sign In, no password necessary.” I don’t understand this at all. There must be some verification after the sign-in, otherwise what would keep me from changing someone else’s password? I’ll follow up with my friend and she what she did.
Who else received an email like this?
LastPass has a tool to check whether your LinkedIn password was posted. I’m not vouching for it, and I don’t suggest you enter YOUR password, but assuming it’s legit, you can check to see what stupid passwords people used, like “john316”. Whether it’s legit or not, the marketing folks at LastPass have a bonanza going!
UPDATE
I talked to my friend, who said her password was NOT disabled. She logged in with her existing password and then changed it. Based on this, the fact that the above email contained a link when LinkedIn said such emails would not (see #2 here), and the “no password necessary”, I am strongly suspecting the above email was not sent by LinkedIn.
ITauditSecurity 
Got it and thought the same thing…this is phishing. I went to the site to see if there was a message or an alert in my inbox, and I did see the same message in the news section, but it could have been copied and pasted. The link thing was weird…I don’t ever remember giving them my public key…how did they know it was me? Anyone could have clicked on the link and changed the password to whatever. Very strange methodology, LinkedIn.
LikeLike
Danny,
What do you mean about the public key? More details, please. See my UPDATE above.
LikeLike
More of a sarcastic remark that I didn’t exchange any keys with them, so there was no trust between my computer and theirs. I did go back and try the link to rest my password and it expired, so that was good.
LikeLike
Interesting. Thanks for the update, Danny. Another else get this email?
LikeLike
I did, on June 8. Two weird things in my mind: First was the language of the email as already pointed out. (Mine has 5 paragraphs.)
Second is the from: LinkedIn I’m no computer wizzard, so maybe I am making a mountain out of a mole hill, but I didn’t and still don’t trust “…@e.linkedin.com” instead of “…@linkedin.com.” Am I wrong?
LikeLike
Norman,
I don’t blame you, but remember dotted components of URLs are read right to left, so .com is read first, then .linkedin, then e. So e has to belong to the .linkedin domain just as .linkedin belongs to the .com domain. I remember this because a company I was at was bought by a conglomerate and our website went from http://www.company.com to http://www.company.conglomerate.com. We had lots of fun making the website switch.
Having said that, always be suspicious. Anyone else want to chime in?
Thanks for the comment.
LikeLike