{"id":22832,"date":"2023-09-01T16:10:06","date_gmt":"2023-09-02T00:10:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/09\/01\/news-16562\/"},"modified":"2023-09-01T16:10:06","modified_gmt":"2023-09-02T00:10:06","slug":"news-16562","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/09\/01\/news-16562\/","title":{"rendered":"A firsthand perspective on the recent LinkedIn account takeover campaign"},"content":{"rendered":"

Not long ago I wrote about a recent campaign to hold LinkedIn users’ accounts to ransom<\/a>. Shortly after I published the article, a co-worker, Peace, reached out to me told me they’d been a target of the campaign.<\/p>\n

His story begins with an SMS text from LinkedIn telling him to reset his password. He found this confusing: It arrived in the middle of the night, and he hadn’t asked for a password reset. Since he doesn’t use the LinkedIn app on his mobile he checked his account on his laptop first thing in the morning. The current sessions (Profile Picture > Settings > Sign in & security > Where you’re signed in) showed an unknown IP address in Texas logged into his account.<\/p>\n

Frustration #1: The promised<\/a> “Sign out of all these sessions” option is nowhere to be found. I double checked in a browser session on Windows and in the app on Android. It’s not there.<\/p>\n

Pearce then found out that there was at least one person in his Connections that he did not invite or accept an invitation from. This person also hails from Texas.<\/p>\n

\"screenshot<\/p>\n

Pearce is a security professional so as soon as he was convinced there was someone else with access to his LinkedIn account, he took action.<\/p>\n

A reset of the account’s password worked, but failed to remove the unwanted active session.<\/p>\n

Pearce had already set up multi-factor authentication (MFA) on his account, but changed this from SMS to an authenticator app. As I stated in my previous blog, “Setting up MFA for LinkedIn with Okta turned out to be painful because LinkedIn does not provide a QR code but a secret key which is so long that it’s hard to get it right the first, or second time.”<\/p>\n

But despite his troubles this didn’t remove the unwanted active session either.<\/p>\n

Frustration #2: Changing security and sign in settings is a pain, but has no effect on currently logged in users on other devices.<\/p>\n

Frustration #3: LinkedIn Support is overwhelmed and takes quite some time before you get actual help.<\/p>\n

Pearce opened a support ticket with LinkedIn. As we mentioned before, the campaign appears to have completely overwhelmed LinkedIn Support. The LinkedIn Help account on X (formerly Twitter) has pinned a message to say:<\/p>\n

“Hey there! \ud83d\udc4b We’re experiencing an uptick in questions from our members, causing longer reply times. Rest assured, we’re doing our best to assist you! For account-specific inquiries, please DM us the details and your email address. We appreciate your patience. Thanks! \ud83d\ude4c”<\/p><\/blockquote>\n

It took them 3 to 4 days to reply with the following message:<\/p>\n

\n

Status: Closed<\/p>\n

…<\/p>\n

Hi Pearce,<\/p>\n

Thanks for contacting us about this. To secure your account, we’ve taken the following actions:<\/p>\n

    \n
  1. We signed you out of your account from every computer or mobile device it has been accessed on. Note: This will now prompt a new login for your account.<\/li>\n
  2. We sent a password reset link to the primary email address listed on your account.<\/li>\n<\/ol>\n

    There are a few scenarios that could explain the possibility of unauthorized access to a LinkedIn account:<\/p>\n