Posted by & filed under Hacks, Security News.

Gawker has been hacked, and their whole user database was just leaked at The Pirate Bay, containing over 500 megs of usernames and passwords to Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9 and Fleshbot. A couple of minutes ago I noticed an email from LinkedIn, stating:

Dear X,

In order to ensure that you continue to have the best experience using LinkedIn, we are constantly monitoring our site to make sure your account information is safe.

We have recently disabled your account for security reasons. To reset your password, follow these quick steps:

  1. Go to the LinkedIn website
  2. Click on “Sign In”
  3. Click on “Forgot Password?” and follow the directions on the website

Thank you,
The LinkedIn Team

My first thought was that LinkedIn was hacked too; fortunately the mail was just a precaution taken by the LinkedIn staff to protect accounts that might have been compromised. Kudos to LinkedIn for responding so quickly and proactively.

So yeah, my password is compromised. Fortunately I use a password hierarchy (using the same type of passwords on “low-value” sites where I don’t store any personal information) , so the chances of it being exploited in any way is minimal. Still had to go through the boring job of changing it on several other sites though…

Update: Ok, so I tried to get my new password from LinkedIn using the procedure above. I clicked the “Forgot password” link, and I was greeted with the following:

Notice anything strange? How about:

Please enter the email address you used to create your LinkedIn account, and we will send you a link to reset your password.

Ouch. Now you are making it very difficult for yourself (and me, I might add) LinkedIn: I got rid of that mail account many years ago. Guess I have to call customer support.

Update 2: I tried to supply my new e-mail address instead of the one I used to create my LinkedIn account, and the reset worked. There seems to be some slowness in the system though. Here’s what I received from the LinkedIn team:

Dear X,

We have received your request to reset your LinkedIn password. Please use this secure URL to reset your password within 5 days.
To reset your password, please enter your new password twice on the page that opens.

If you cannot access the link above, you can paste the following address into your browser:

https://www.linkedin.com/e/pwr/YYYYYYY/XXXXXXXX/

Thank you for using LinkedIn!

– The LinkedIn Team
http://www.linkedin.com/

Update 3: While I feel that this is a good security move by LinkedIn, I cannot avoid commenting on the “window of opportunity” it creates for phishing attacks: Using LinkedIn features such as viewLink one can serve malicious content or fake login pages, as Shlomi Narkolayev has shown.

If I were a malicious hacker I’d start serving fake password reset forms off these URLs, copied the legit mails above and… Well, the rest is obvious. Security is never easy.

Leave a Reply

  • (will not be published)