The Great LinkedIn Hack
A personal experience highlights some disturbing faults with the popular job site
It can happen to you.
Oh yes, it can…
It may take place as you are on LinkedIn itself, reading about how Chris can eat all the pot pies he wants now that the expats have left town.
Or it may occur while you are engrossed in Simon’s video about turning wannabe dreams into purposeful money-generating reality.
Then again, you could be scrolling through Su-Mae’s info-graphic about how to answer questions for a job interview. You know the one. It’s been posted 25 times by other people already.
And while you’re doing this, someone in Moscow, or Sao Paolo, or Turkey—or anywhere at all really—is replacing your LinkedIn identity with their own.
It happened to me this month.
At 7:35 am I was on LinkedIn while sipping the morning coffee. Then at 7:40 am, I was checking emails, when new emails started coming in. In one of them, LinkedIn was kind enough to inform me that my password had been reset. “You’ve successfully changed your LinkedIn password”, the email declared. Believe me, it comes as a shock when you haven’t actually done that.
Apparently, the browser was Chrome, the operating system was Windows, and the location where this took place was in Hanoi, Vietnam.
The next minute I received a new email. “You’ve successfully turned on two-step verification for your LinkedIn account.” Except I hadn’t. This time, the location was unknown, but the last four digits of a strange phone number were highlighted. This number was to receive the verification code which I would never see.
There was more good news with the next email. As it turns out, elizabethgwy267@hotmail.com had now added her own email to my account. A real panic sets in after that, as you have no idea what elizabethgwy plans to do next. You can imagine the scenarios. I thought of many already — though there are plenty more that I probably don’t even know.
Well, you think, I've caught this early enough — almost as soon as it happened. I'll just go and report this to the LinkedIn help desk. The problem is that in 99% of the searches that you do, you need to LOG IN to your account to do this. Even in LinkedIn's helpful emails that are politely informing you that you are being hacked, they request that you to sign in with your email address and password. For example, if I choose not to have elizabethgwy267@hotmail.com associated with my account, I still have to log in.
So when you can't log in to your own account and you can't visit LinkedIn's help desk (because you can't log in), it's quite a quandary. So I started searching around for other stories about LinkedIn hacks, and it turns out that there are quite a few.
As far back as 2012, a Russian hacker by the name of Yevgeniy Nikulin stole the passwords of six and a half MILLION user accounts on LinkedIn. Though he was eventually caught and sentenced to 88 months in prison, LinkedIn noticed FOUR YEARS later that 100 MILLION more email addresses and passwords had been compromised. A US-based LinkedIn account owner by the name of Katie Szpyrka later sued the company for US$5 million for violating protocols related to the hack, though the case was eventually dismissed.
More recently in 2023, two separate data archives, supposedly with 827 million scraped LinkedIn profiles — 10% more than LI's total database — were put on sale on a hacker forum for US$7,000 worth of bitcoin. Sample leaked files included full names, email addresses, phone numbers, and workplace information. LinkedIn responded in a statement by saying "This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we've been able to review."
Though by no means a hack, it's also worth noting that LinkedIn paid US$13 million in a 2013 class action lawsuit filed in California. There, a group of users claimed that their reputations may have been damaged due to a relentless amount of emails that the company sent on their behalf to “Add Connections”. The company settled out of court.
Two years ago, LinkedIn filed a federal lawsuit of its own in Singapore against the business intelligence company Mantheos Pte. Ltd, who they claimed were illegally scraping millions of LI profiles for their own use. In May 2022, Mantheos agreed to delete all scraped LI profile data, destroy all its software, and stop accessing LI profile data.
Based on the above, it's clear that privacy and data are key issues for LinkedIn, as they should be. But what they really need to work on are more responsive and user-friendly steps that users can take when it comes to such security issues. Two years ago I pointed out the lacklustre effort to snuff out fake users on the platform https://scottkmurphy.substack.com/p/the-story-of-stella-lee?r=1e171
and password theft is a more overt and serious extension of that. It should be obvious to stakeholders on the site that you can't log in to a site that's just been hacked. Nor can you visit a Help Center by logging in, because…duh!
So what happened next, you may ask? Well, after plenty of searching on Google, and much reading of small print, it turns out that LinkedIn has a "Report Unauthorized Account Access or Changes” form. Once you fill that out, a "LinkedIn Member Safety and Recovery Consultant” is likely to contact you via your email address. Mine was Akhil, who asked me to verify my identity via an ID or passport. He then sent an email with instructions to follow as to how I could regain access to my LinkedIn profile.
Admittedly, it was a relief to be back on the site. Fortunately, there were no signs that unwanted messages were sent. My profile wasn't vandalized. There was also no sign of Elizabeth's email address.
But, unfortunately, the story doesn't end there. One of the suggestions by Akhil and other LI staff members was to create a "two-step verification”. This process begins right beside your name on your LI profile. Once you click the "Verify Now” button, this takes you to an instruction page where you can "Build trust by verifying your identity". The outfit behind this operation is a San Francisco-based company called "Persona". All you need to do is agree to their terms (two simple clicks), find your country, and scan your passport. Simple, yes?
However, there's at least one country there that's not on the list. It's the country where Persona has its main office. It's the country where LinkedIn started. It also happens to be the country I have a passport for.
So do you know what I did…and…what would you do?