Your LinkedIn Account Can Get Hacked By Anyone And There Is Nothing You Can Do About It
On 29th January 2024, my LinkedIn account got hacked. It was very surprising to me because all of my accounts are protected with the best security measures that an user can possibly take. I had a long random securely generated string as my password, I had 2 factor authentication on, I had my phone number added, I only had signed in from my own devices from my home network, and I always ensure I am not clicking or visiting any sketchy site or giving input to any phishing site. But the fact that I still got hacked gave me a big surprise. When I discovered how the account got hacked, I was furious!
The Incident of The Hack
On 28th January, 2024 at 1:37 PM, I received an email from LinkedIn “Nazmul, here’s your PIN ****** … Enter this code to complete the reset…. If you didn’t request this pin, we recommend you change your LinkedIn password.” Of course, it wasn’t requested by me. So, I opened my LinkedIn app on my phone, where I was already signed in, and changed my password to something very secured. (I think, LinkedIn’s suggestion to change the password in this email is unnecessary. This email can come if someone entered my email in the “Forgot Password” option. Without the PIN, they cannot do anything. So, why should I change the password?). I also checked the list of devices to from where I am signed in, to see if there is anything that I don’t recognise. All the sessions listed there were my own devices. So, nothing to worry.
Next day, on 29 January, 2024 at 12:55 PM, I received another email from LinkedIn, “Nazmul, here’s the link to reset your password”. And at 1:35 PM, another email came from LinkedIn, “Nazmul, here’s your PIN ******”. My phone was in silent mode when these emails arrived as I was in a meeting at my work. (Though, it wouldn’t have mattered if I noticed them immediately). I noticed the emails around at 2:00PM. The email suggested that I change my password if it wasn’t me, so I opened my LinkedIn app. But I am logged out!
I tried to log in by entering my password, but it got rejected as wrong credentials. I tried to reset the password by going to the “Forgot Password” option, but no reset link was coming to my email. I tried “Login with Google” though I knew I haven’t added Google Login for my LinkedIn account, but I was hoping it would prompt me to connect or something. But instead, it created a brand new LinkedIn account!
So, it was clear at that point that someone has taken control of my account, removed my email and changed my password. I asked an associate to check my profile and see what information he can see. He sent me a screenshot. I noticed, nothing was changed, except my email address. The email address has the same name as my original email, only difference is, it’s @outlook.com not @gmail.com. The attacker copied my email name and created a similar email from outlook.
Recovering My Account
At 2:24 PM, I created a ticket with LinkedIn support reporting my hacked account and asked for their help to recover it. I got a reply from support at 7:23 PM. They locked my hacked account and gave me two options to verify my identity.
Option 1, upload a scanned copy of a govt. issued ID or,
Option 2, follow this link https://www.linkedin.com/help/linkedin/answer/a1342243/ , download and print the form, sign it before a Notary Public or Public Official, and then upload a scanned copy of the signed document.
(remember this, will get back to it later)
I went with the option 1 and provided my ID. Next day, on Jan 30 at 5:46 PM, support replied that they have verified my identity, merged my new account (the one that got created when I tried Login with Google) with my original account and have sent me a reset link in a separate email. I checked my inbox, there was no password reset email, but I had a new notification email that said my account was closed (the new account). I had the new account opened in a separate tab, from where I was replying on the support ticket, so I checked that tab and it was signed out and asked to enter the password for the account with “*****@outlook.com” email. I realised what happened. Support had sent the reset link email to my attacker’s email (@ outlook.com) instead of sending it to me at my email ( @ gmail.com). (remember, the attacker created a lookalike email). I didn’t expect LinkedIn support to do this mistake, because, I stated my email address very clearly and had made it very clear that my actual email was removed from that account.
So I replied to that ticket again, from my email (because the new account got closed and they closed the ticket. Replying from the email reopened it). Explained again that my email is gmail, not outlook. Got a reply almost immediately, and this time got the notification email saying “Confirm your email address” so this time, the support agent has fixed their mistake. I immediately logged in, updated my password and added 2 FA again.
How The Account Got hacked
So now the real question. How did my account get hacked? Till that point, I had no idea. I was pretty sure that my password didn’t get leaked. If the attacker had used stolen password, I would have gotten the first login notification before they got the opportunity to change the email. I started to suspect somehow my browser session got stolen (Linus Tech Tips YouTube channel recently got hacked by session hijacking). But I still couldn’t pin point any interaction that might have compromised my browser or device.
I started to check if the attacker had changed any information or done anything from the account. I checked the activity log. And then I noticed this log entry,
Notice the line I have pointed with the red arrow. A CUSTOMER SERVICE REPRESENTATIVE HAS CHANGED MY EMAIL!
After seeing this log entry, it became clear how the hack was done. The attacker convinced LinkedIn support that he has lost access to the email and need to change it. And somehow, LinkedIn Customer Service agent has accepted the request and changed the email, nicely serving the access of my account to the attacker!
I had two emails added on my account. I also have my workplace verified using my work email. I had 2 FA on. Despite all of this, LinkedIn didn’t care about verifying any of those. I suspect, they asked the attacker to verify the identity, like they asked me, using one of those two options. The attacker might have gone with option 1 with a fake ID, or option 2 by faking the signatures and submitted it to LinkedIn and Voila! Account got hacked.
This has been a really frustrating experience for me. If LinkedIn customer service representative can be tricked into changing an account’s primary email that easily, then no matter how strong password you use or have 2 FA on or not, anyone on the internet can get access to your account, just by asking LinkedIn Support.
I created another ticket with LinkedIn, explaining my finding and asking what I can do to prevent this from happening again. Because, unless LinkedIn fixes this, my account can get hacked again, no matter what I do. They replied they have taken steps to secure my account properly and will be addressing the issue internally. I hope it wasn’t a generic reply and they really look into it internally and quickly.
Meanwhile, what can you do to secure your account? Nothing! Let’s hope nobody targets you for an attack like this and LinkedIn takes proper action to protect its users from such exploit.
Stay safe!