It’s never a good day when you lose control over a significant account. First, it goes to show that none of us are perfect and we can all be pwned as a matter of course, regardless of how careful we are. This story has a reasonably happy ending, but there are still important lessons.
Obviously the folks at Facebook and Twitter take head shots every week about privacy/security issues. LinkedIn has largely gone unscathed. But truth be told, LinkedIn is more important to me than Facebook, and it’s close to Twitter. I have a bunch of connections and I use it fairly frequently to get contact info and to search for a person with the skills I need to consult on a research project.
So I was a bit disturbed to get an email from a former employer today letting me know they had (somewhat inadvertently) gained control of my LinkedIn account. It all started innocently enough. Evidently I had set up this company’s LinkedIn profile, so that profile was attached to my personal LinkedIn account. The folks at the company didn’t know who set it up, so they attempted to sign in as pretty much every marketing staffer who ever worked there. They did password resets on all the email addresses they could find, and they were able to reset my password because the reset notice went to my address there.
They didn’t realize it wasn’t a corporate LinkedIn account I set up – it was my personal LinkedIn account. With that access, they edited the company profile and all was well. For them.
Interestingly enough, I got no notification that the password had been reset. Yes, that’s right. My password was reset and there was zero confirmation of that. This is a major privacy fail. Thankfully the folks performing the resets notified me right away. I immediately reset the password again (using an email address I control) and then removed the old email address at that company from my profile. Now they cannot reset my password (hopefully), since that email is no longer on my profile. I double-checked to make sure I control all the email addresses listed on my profile.
To be clear, I’m to blame for this issue. I didn’t clean up the email addresses on my LinkedIn profile after I left this company. That’s on me. But learn from my mishap and check your LinkedIn profile RIGHT NOW. Make sure there are no emails listed there that you don’t control. If there is an old email address, your password can be reset without your knowledge. Right, big problem.
LinkedIn needs to change their process as well. At a minimum, LinkedIn should send a confirmation email to the primary email on the account whenever a password is reset or profile information is changed. If fact, they should send an email to all the addresses on the account, because someone might have lost control of their primary account. I’m actually shocked they don’t do this already.
Fix this, LinkedIn, and fix it now.