A firsthand perspective on the recent LinkedIn account takeover campaign
Not long ago I wrote about a recent campaign to hold LinkedIn users’ accounts to ransom. Shortly after I published the article, a co-worker, Peace, reached out to me told me they’d been a target of the campaign.
His story begins with an SMS text from LinkedIn telling him to reset his password. He found this confusing: It arrived in the middle of the night, and he hadn’t asked for a password reset. Since he doesn’t use the LinkedIn app on his mobile he checked his account on his laptop first thing in the morning. The current sessions (Profile Picture > Settings > Sign in & security > Where you’re signed in) showed an unknown IP address in Texas logged into his account.
Frustration #1: The promised “Sign out of all these sessions” option is nowhere to be found. I double checked in a browser session on Windows and in the app on Android. It’s not there.
Pearce then found out that there was at least one person in his Connections that he did not invite or accept an invitation from. This person also hails from Texas.
Pearce is a security professional so as soon as he was convinced there was someone else with access to his LinkedIn account, he took action.
A reset of the account’s password worked, but failed to remove the unwanted active session.
Pearce had already set up multi-factor authentication (MFA) on his account, but changed this from SMS to an authenticator app. As I stated in my previous blog, “Setting up MFA for LinkedIn with Okta turned out to be painful because LinkedIn does not provide a QR code but a secret key which is so long that it’s hard to get it right the first, or second time.”
But despite his troubles this didn’t remove the unwanted active session either.
Frustration #2: Changing security and sign in settings is a pain, but has no effect on currently logged in users on other devices.
Frustration #3: LinkedIn Support is overwhelmed and takes quite some time before you get actual help.
Pearce opened a support ticket with LinkedIn. As we mentioned before, the campaign appears to have completely overwhelmed LinkedIn Support. The LinkedIn Help account on X (formerly Twitter) has pinned a message to say:
“Hey there! 👋 We’re experiencing an uptick in questions from our members, causing longer reply times. Rest assured, we’re doing our best to assist you! For account-specific inquiries, please DM us the details and your email address. We appreciate your patience. Thanks! 🙌”
It took them 3 to 4 days to reply with the following message:
Status: Closed
…
Hi Pearce,
Thanks for contacting us about this. To secure your account, we’ve taken the following actions:
- We signed you out of your account from every computer or mobile device it has been accessed on. Note: This will now prompt a new login for your account.
- We sent a password reset link to the primary email address listed on your account.
There are a few scenarios that could explain the possibility of unauthorized access to a LinkedIn account:
- If you’ve recently signed into your account from a public computer or a shared device at your workplace or home, and didn’t completely sign out of your account, the next person to access the site on that device may have unintentionally signed in to your account.
- An email or phone number registered in your account is outdated and access to the email or phone number has been recycled or compromised.
- If the same password is used in multiple websites, this could have been compromised through unaffiliated sites or a phishing attack.
- We’d recommend these best practices for your online privacy:
- Check the email addresses on your account to ensure they are current: https://www.linkedin.com/help/linkedin/answer/60
- Turn on two-step verification as an added layer of security: https://www.linkedin.com/help/linkedin/answer/544
- Find more tips here: https://www.linkedin.com/help/linkedin/answer/267
If you continue to see anything suspicious, please report it to us immediately.
Regards,
LinkedIn Member Safety and Recovery Consultant
Fortunately this worked and Pearce has regained control of his account. But this ordeal could have been much worse than with just a few added new connections. Had the account been taken over, it could have been used for malicious activities, damaging Pearce’s reputation in the process.
Note: LinkedIn has added an option to end individual sessions since this incident, but a few quick tests showed that this doesn’t always work as advertised. We may dive into that at a later point.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.