As soon as it has learned that around 6.5 million of their customers’ passwords have ended up online, LinkedIn has started resetting passwords and sending out notifications.
To make sure that cybercriminals couldn’t take this opportunity to launch phishing campaigns, the company told members that the emails would not contain any links and included a couple of details to make them more legitimate-looking.
While this may have been a wise decision, Bitdefender experts have discovered
that the notification process presents some problems.
The password reset notifications are sent to a number of email addresses other than the ones actually associated with the affected LinkedIn account, mainly ones related to current or previous employers.
Furthermore, the fact that LinkedIn has included the customers' full name and professional headline is also problematic.
Experts argue that this decision to include this information might represent “unnecessary disclosure of activity.”
LinkedIn has been notified regarding these issues.