No matter how careful you think you are, there is always a risk that your online accounts can be hacked. For most people it is simply an inconvenience and possible embarrassment when messages or tweets are sent from their account. The solution is often to reset a password, change security questions and tighten your settings. To do this, however, you still need access to the email address or telephone number associated with the account.
But what happens when you don’t have access to that data? What happens if the attacker changes the email address and telephone number associated with the account? If you have two-factor or multi-factor authentication turned on you can often stop this happening. This is because changes made to the account often have to be verified through a code sent to a telephone.
For users who have not set up multi-factor authentication things can rapidly go from bad to a disaster.
LinkedIn failing users who have been hacked
LinkedIn is more than just a social media network. It is a network focused on business contacts and one that many users exploit for work and new business. As a result, there is much more trust when an email is received by a LinkedIn contact. This means that hacked LinkedIn accounts are worth more to cyber criminals. They can sell them for far more than they can a Facebook or Twitter account.
As a result, it might be reasonable to assume that LinkedIn has a robust mechanism to help its users. If you think that, you are in for a major disappointment. If an attacker takes over a LinkedIn account and changes the email address and telephone number, the user cannot do anything. Why is this?
LinkedIn requires that a user be able to reset their password to take back control of their account. When they cannot do that, LinkedIn has no obvious mechanism to recover the users account. The LinkedIn help system says: “In order to contact us, you must be signed in to your LinkedIn account.” If you cannot sign in then you cannot use the help system.
LinkedIn chooses not to publish a telephone number that can be used to contact their support and security teams. The only other solution is to try the Twitter LinkedInHelp account. However, this assumes that the person concerned has a Twitter account as setting up an account just for resolving this type of problem would fail most fraud checks.
How does a user get into this state?
Take the case of user Mark (name changed). He hadn’t been on LinkedIn for a while. After receiving an Inmail message from the son of an old friend he accepted the message and clicked on the document link it contained. The link contained code that gave the attackers control of his account. Before he realised what had happened everyone in his business contact list had received an email from him with a PDF document link.
As soon as he was made aware of the issue he tried to log into his account, change his password and inform everyone not to open previous emails. He discovered that the email address associated with the account had been changed. The telephone number associated with the account was also not working. Despite trying to contact LinkedIn he hit the problem that he cannot do anything unless he is logged in.
After contacting me at Enterprise Times we tried to help. The best we could do was mark the account as being an impersonated account. We were unable to get any response from LinkedIn as to what the user could do. We also contacted the LinkedIn press office via their email account asking for comment. So far, there has been no response despite them knowing the deadline for publication.
Facebook’s “Get help From Friends” feature
Facebook has introduced a feature called Get help From Friends. This allows a user to identify up to 10 people who can help them recover their account in the event it is hacked and taken over. It doesn’t matter if the user cannot access any of the email addresses or telephone numbers associated with their account. The feature allows a user to enter a new telephone number and then contact one of the trusted contacts. It then uses information from both parties to prove who owns the account and, after 24 hours, gives them access to their account.
What does this mean?
LinkedIn is a business network. It promotes itself as a trusted network. However, the case of Mark shows that it has to do more when things go wrong. Forcing users to abandon their accounts to hackers because they can no longer sign in is not acceptable. There has to be a better way of helping users when account takeover occurs.
If Facebook can adopt a trusted friends network there is nothing to stop LinkedIn doing it.
Should LinkedIn respond to our email requests for a statement on how to help users, we will publish it as a comment.
Meanwhile Mark is still getting phone calls from some of his contacts telling him he has been hacked. Some of those are coming from people in the professional bodies to which he belongs. He worries how many will open the document that is being distributed in his name and what will happen to their accounts.
Response from LinkedIn
It’s obviously very distressing when any online account is hacked and we’re sorry that your reader didn’t readily find the help he was after.
You can report issues with account you have been locked out of here and our customer services team will be in touch to assist. This page should be easily findable when logged-out by going to LinkedIn.com, selecting Help Centre from the bottom menu bar, and then entering a query such as ‘my account has been hacked’. We’re always looking to improve our security and service and grateful for the feedback, so we will look at how we can improve the signposting for such cases.
We would encourage all members to keep their account secure by enabling two-factor authentication, using strong passwords, and regularly reviewing their privacy settings. We provide further advice on online safety on our safety centre which can be found at https://safety.linkedin.com/.