Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
TRENDING TODAY
Home > News > Security > Security Blog

June 12th, 2012, 09:45 GMT · By

BLOG

Experts Find Issues in LinkedIn Password Reset Notifications

SHARE:

Adjust text size:


LinkedIn password reset notifications present some issues Enlarge picture - LinkedIn password reset notifications present some issues
As soon as it has learned that around 6.5 million of their customers’ passwords have ended up online, LinkedIn has started resetting passwords and sending out notifications.

To make sure that cybercriminals couldn’t take this opportunity to launch phishing campaigns, the company told members that the emails would not contain any links and included a couple of details to make them more legitimate-looking.

While this may have been a wise decision, Bitdefender experts have discovered that the notification process presents some problems.

The password reset notifications are sent to a number of email addresses other than the ones actually associated with the affected LinkedIn account, mainly ones related to current or previous employers.

Furthermore, the fact that LinkedIn has included the customers' full name and professional headline is also problematic.

Experts argue that this decision to include this information might represent “unnecessary disclosure of activity.”

LinkedIn has been notified regarding these issues.
FILED UNDER:
LinkedIn
advisory
incident

TELL US WHAT YOU THINK:

1,224 hits · 2 comments · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


6.5 Million Alleged LinkedIn Password Hashes Dumped Online
Fake LinkedIn, MySpace, Pinterest, Foresquare Notifications Serve Fraud Sites
Privacy Issue: LinkedIn for iOS Collects Calendar Entries
Expert Advises Site Owners on How to Fix “Rubbish” Password Databases
LinkedIn: Law Enforcement Is Investigating Password Leak

READER COMMENTS:


Comment #1 by: epaslv on 12 Jun 2012, 14:02 UTC reply to this comment

The biggest concern I have is non disclosure.

The email I got starts of by saying....
In order to ensure that you continue to have the best experience using LinkedIn, we are constantly monitoring our site to make sure your account information is safe

We have recently disabled your account for security reasons.

1) At no stage are they disclosing what in fact happened, the incident, the severity and the risks.
2) It states that your account has been disabled. It then shows you instructions how to reset your password (nothing to do with enabling your account again). This is poorly worded.

When I contacted friends of mine who were unaware of the incident, but received the mail, they were of the belief that it was just a routine email that LinkedIN decided to send out from time to time.

No where do they disclose the nature of the incident. I believe this is a deliberate tactic aimed at downplaying the incident.

Many of my friends told me that they dont log into LinkedIN that often and set it up some time ago. Now that they actually know the reason behind the email, they advised me that they would be shutting their account down. I wonder how many people will do just that.

Comment #1.1 by: Eduard K on 12 Jun 2012, 15:13 GMT

You make an interesting point. There are some obvious issues in the way these notifications are sent to affected users.

Anyway, thanks for the feedback. It's highly appreciated.

Copyright © 2001-2013 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2013 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use