LinkedIn is Insecure
My LinkedIn account was hijacked at 3:17 am on March 4, 2011. By “hijacked” I mean that the attacker obtained my password, logged in and changed the password, removed my email from the account and replaced it with her own. At this point she controlled the account. She erased the original content of my profile and replaced it with embarrassing fictional attributes and achievements.
I was able to capture a mildly legible screenshot of my vandalized profile.
I went to the help center and provided details of what had happened. I asked if I could either reclaim or delete my account.
On March 11, 2011 I asked for an update. LinkedIn responded with a link to an “Affidavit of Identity” which I was asked to fill out, get notarized, and fax back to LinkedIn Headquarters. I faxed the notarized form to them on March 16, 2011.
On March 23, 2011, after confirming that they had received the notarized affidavit, I was emailed a link to reset my password, and I reclaimed the account.
If you subtract the 5 days it took for me to get the form notarized, reclaiming my account took 14 days. For a career-oriented networking site such as LinkedIn, authenticity is king. A hijacked and vandalized account could seriously damage someone’s career. I think some stronger security measures are necessary.
Here are a few suggestions:
-
2 factor authentication. A user is required to provide not only their known password, but a secondary password which either changes over time (Google does this), or differs based on a secondary password query from the service (some VPN configurations use a password grid for this purpose).
-
Allow users to configure a phone number at which they will receive a text message for any sensitive account changes, such as passwords or email addresses. Yahoo does this.
Based on my experience, I believe that LinkedIn has some security improvements to make. However, I am infinitely grateful for their help in allowing me to reclaim my account. Thank you!
-matt