Alerts

LinkedIn Password Change Notification Randomly Sent to Previous Employers

After the leak of roughly 6.5 million hashed passwords last week and the failed “mandatory password update for the affected account”, LinkedIn’s password reset confirmation e-mail has backfired by disclosing the reset to victim’ previous employers.

The password-reset confirmation appears to be randomly sent to a number of e-mail addresses the user is likely connected with. Based on our observations, these notifications are sent to e-mail accounts with current or previous employers – even if these e-mail addresses have never been associated with the LinkedIn account.

Example: Password reset notification for a user, sent to qscan@bitdefender. The Quick Scan account has never been associated with LinkedIn in any way.

The service notifies the user at e-mail addresses he or she doesn’t control allegedly to minimize phishing attacks following the leak of the hashed passwords. Although the LinkedIn message doesn’t mention the username, password or other identification for the user’s account, this alleged security feature counts as unnecessary disclosure of activity that may actually work against the user by informing third parties of his or her whereabouts.

We have notified LinkedIn about the issue.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

2 Comments

Click here to post a comment
  • I had the same issue, got a response from LinkedIn support. These email addresses are stored in your account. Every time someone expresses a desire to connect to you, linkedin sends an invite to the address your connection provided. Once you click to accept the connection, the email address is added to your account once you log in (makes sense, by accepting and logging in you’ve verified access and account ownership).

    To see (or remove) what is stored go to settings -> account -> add & change email addresses and you can remove old addresses.