Comments welcomed on fediverse via post https://tech.lgbt/@lettosprey/115527186347881397 , or on bluesky via post https://bsky.app/profile/lettosprey.bsky.social/post/3m5cguaqyxc2m
Yesterday at some time, my LinkedIn account got hijacked. As I am typing this, it still is, and I feel like I am hitting a wall trying to get help from LinkedIn now. It initially seemed to be resolved well and fast, but, when you don't know how your account was taken over, it is sorta bound to happen again.
Yesterday night, I got my account back. I set a strong password for the account, and changed my gmail password as well, though I had not seen any suspicious activity in gmail. I could not figure out how they had gained access, so that was all I could do. Past midnight, I was so tired and had to head to bed.
This morning, the account was, again, hijacked. But this time, when signing in, I was left with a hint. The suggested sign-in email appeared to be one of my old ones.
This bit is the embarrassing part. I have completely forgotten that I must have had an old email listed as an alternative email. But this becomes an issue with LinkedIn. It is a site I generally relate to every now and then, when I look for a new job. And listed there, completely forgotten, was an email I have not used in over a decade, belonging to a domain I let go over a decade ago.
Someone registered that domain yesterday - who, that part is hidden, but doing so, they could easily get a password change request from LinkedIn into their mailbox.
I am generally very security aware. I use strong passwords, 2FA, and whatnot to protect accounts. But here was a thing I had completely forgotten.
Looking at "my LinkedIn was hacked!" posts online, it seems this has been an experience many have had. Some have left hints pointing in the direction of this being the case, but not been able to connect the dots. And when someone does a domain registration to get LinkedIn access, and sets it up for recruitment scam right away, it seems quite unlikely that I am "one of the few" to experience this.
Am I "to blame" for this? I guess, I kinda am, I left that hole open. But we need to get away from "blame the user", to a "reduce the attack surface". Putting the responsibility on the user means it will happen. I am an IT professional, and I still fell into this trap. Letting password resets go, unchecked, to emails that have not been active in a long time, is, well, not acceptable.
"Is your contact info still correct" is a common question on a "regular interval" with most sites. That LinkedIn, having so many sporadic users who are likely to forget, does not have this setup, is worrying.
There are other, simple fixes. Doing a password reset to a non-primary email address should trigger an email to the primary address, and give a delay before a password reset link was active. This would give the user a chance to block these kinda takeover-attempts. And, again, given how many times this seem to have happened, it is kinda surprising this is not in place.
"I had 2FA and strong password, still my account was taken", someone writes. What is the point of 2FA, if you can easily use a non-primary email to bypass and disable it.
The first time the account was hijacked, I used a "prove you are you" site to validate who I was to LinkedIn, and the case was resolved quickly. The second time, I get the same "prove you are you" link, but it is not working. I have poked at LinkedIn a few times trying to figure out what to do now.
"Your account has been suspended due to policy violations" is all I have gotten back. Well, yah, that is what these recruitment spammers that took my account would do. But they still have the (now their) email as the account, I assume primary email, now.
I am at the point of thinking of doing a GDPR take-down. If I cannot remove my data, I probably can force LinkedIn to do so.