The LinkedIn Security Hole Anyone Can Exploit
It’s Sunday morning at 8 AM. I’m casually browsing my personal email when two messages from LinkedIn pop up: “James, here’s your PIN” followed by “James, your password was successfully reset.” My heart sinks. As a developer and web administrator with access to numerous AWS accounts, servers, and hosting control panels, my worst nightmare is one of my accounts getting hacked.
I already have 2FA, extremely long randomly generated passwords, and login notifications for all my accounts. I know how to spot phishing emails and regularly check session logs for any unknown activity. I’ve never signed into LinkedIn from anywhere but my home IP address.
I panic, wondering how they got into my email to access the password reset email. I check all the security logs… nothing. For good measure, I reset all my key account passwords, rotate 2FA keys, and log out of all sessions.
After calming down, I dig deeper and try to reset my LinkedIn password again, but no luck. It turns out LinkedIn offers a way to access your account without a password. Click “Forgot password,” complete the security check, and they email you a code. If you click “Can’t access this email,” a QR code pops up for you to scan with your phone.
If you scan it and follow the prompts, they ask you to upload a photo of your ID, and then a new email will be assigned to your account. That’s it. So if someone creates a fake ID in your name or has an image of it from a past data leak, they can get straight into your account.
I thought this was too easy, but it gets worse. If you raise a support ticket with LinkedIn, they email you back asking for either the ID or a “signed document.”
Seriously? This is a PDF you can download, fill in, and sign. As long as you proclaim the signature is from an official source, they accept it. This is literally just a PDF with some text fields and a signature box! My dog could squiggle a line, and they’d have no way of knowing if it was legit.
So basically, anyone can reassign access to your LinkedIn account. The person that broke into mine used a Windows computer in Vietnam. I’ve only ever signed in from a Mac and iPhone at my home IP address in the UK. The fact that their system allows someone to send a form, fill it with basic details from at least one data leak, and take control of your account with no second form of verification, is crazy.
The rabbit hole goes deep. It’s been documented by hundreds, maybe thousands, of people on Reddit. A quick Google search brings up a plethora of people with the same story. Other Medium users have reported it. Yet nothing has been done.
So I’m writing this in the hope that if enough people see it and report it, LinkedIn might actually act and do something about it. At the very least, people will be educated on the issue, even though there’s not much you can do to protect yourself! I’m still locked out of my account. While I’m locked out, the hacker is messaging my contacts and changing details on my profile. LinkedIn suggests it may take up to two weeks to be reinstated, and according to other users, even after regaining access, there’s nothing to stop it from happening again. One poor person has had it happen three times!
