LinkedIn Mayhem
Should You Panic or Stay Calm?
It could just be me but I doubt it. I’ve certainly had my share of attempts to attack my accounts including the SIM Jacking I documented (3 Minutes to Financial Ruin). But since the vast majority of these attacks are automated with the perpetrators using tools that essentially automate the tasks of attacking multiple accounts at a time, often loaded with lists from breaches I bet you might receive alerts like I do
One of the more irritating is the LinkedIn alert of an attempt to log in to your account. Depending on what you have set up on your account your alerts may be slightly different. Rest assured if you have little to no additional security beyond your userID (typically your emails) and your password you might have already lost control of your LinkedIn account
In my case, I have additional layers of security to combat these attacks and attempts but despite that, I receive notices like this one recently that suggest I have a problem and I should be changing my password
Plenty of flags in this to warrant concern with a login attempt from an unusual location that I am not at or have been to. The reset was done at an unusual time and it comes with a link to “change your password right away”.
What happened? How concerned should you be? Should you click the link and change your password?
Is Your LinkedIn Account Under Attack?
Well let’s start with the basics
DON’T click on any of these links as this message itself could be a more sophisticated phishing attempt (The Desire to Help and Security). If you decide you do need to change your password go to the site by opening a new browser window and typing the domain in by hand
How concerned you need to be will depend on the level of security factors you have enabled on your account. As I said above if you don’t have a second form of authentication (aka as Two Factor Authentication of 2FA) then you might well need to change your password. More importantly, switch on those features for LinkedIn.
All the controls for this are on the LinkedIn main page under your profile picture and in the menu option: Settings and Privacy/Sign-in Security.
Here’s Your First Incremental Step
🙏 Switch on the “Two-step verification” which should use the method of a separate authenticator app – there are many including Google Authenticator and several of the password managers have a built-in authenticator app and there are several separate apps like Auth. Pick one and use it for all your 2FA needs. The setup will walk you through setting up 2FA which involves using your phone to scan a QR code to link this account to your device and the authenticator app to generate a 6-digit code you will need to enter anytime you log in to LinkedIn from a new device, browser, and location.
Wondering how the latest attack was attempted on your account – much depends on the security you have enabled on your account but is also supplemented by LinkedIn that will try to detect unusual sign-on requests (from a new location, at unusual times etc). You might have experienced that if you travel and try logging in from a new location while visiting another part of the country or even a different country. You will get an alert like this when you do successfully log in from a new location
BUT – if you have not just logged in from a new location and see one of these alerts – this is an urgent case requiring immediate attention as it is indicative that someone has logged in as you and has unauthorized access to you account
Sometimes LinkedIn will add in an additional check if you are making significant changes to your account to re-confirm you really are the legitimate account holder and send a 6-digit code to the email address registered to the LinkedIn account much like this one I received
I probably don’t really need to obscure the code generated as it changes every 30 seconds but I’m just extra cautious (I have been caught before – Trust No One).
But back to how the attack took place and if you need to change your password.
In the case above the perpetrator entered my email address and clicked the link forgetting my password which generated the link to log in. He may have tried entering multiple passwords that he obtained from one of the many breaches with my information in it hoping I was foolish to re-use passwords across accounts. So maybe I have a password for my bank and I use the same password for LinkedIn. I don’t, neither should you.
Use a password manager (I wrote about some options and approaches for this here) and generate your own unique 24+ character random password for every site you have credentials for. While you are at it – secure your email accounts with nuclear-level cybersecurity – really! Your email is the Gateway to access to everything – your bank accounts, your life, your online storage. Access to your email allows resetting of all your passwords and owning your life…… You have been warned!
You might decide to change the password just in case and that’s fine
Whatever you do sign up for Troy Hunt’s great HaveIBeenPwned alerts for any breaches of your credentials. This is when you certainly need to change your password and not every 30/60/n number of days (forcing changes in passwords is less secure and well established by NIST and Bruce Schneier).
Comments
Comments are closed.
Pingback: