In recent weeks and months, there have been increasing reports of LinkedIn accounts being compromised and hacked. From high-profile business executives to regular users, stories of LinkedIn hacks and scams are becoming more and more common.
What is happening?
The main issue being reported by LinkedIn users is that their accounts are being taken over by hackers or scammers. The attackers are able to gain access to accounts through phishing attacks, malware, or password guessing. Once they have access, they can then use the compromised account to send spam messages or connection requests to other users.
Some of the common scams being perpetrated through hacked LinkedIn accounts include:
- Sending messages asking to connect on other platforms like WhatsApp for “business opportunities.”
- Sending malware attachments disguised as invoices or other files.
- Spamming connection requests to gather personal information from users.
- Impersonating the account owner to ask contacts for money, sensitive information, or access to company resources.
The hackers are able to leverage the trust and connections a user has built up on LinkedIn to more effectively carry out social engineering and cybercrime.
What is enabling the hacking activity?
There are a few key factors that make LinkedIn an attractive platform for hackers:
- Valuable personal and professional data – LinkedIn contains a wealth of information on its users including contact details, job titles, work history, skills, and connections. This is valuable data for carrying out spearphishing campaigns and identity theft.
- Connections and trust – LinkedIn networks are based on professional trust and relationships. This makes users more likely to connect with or respond to strangers who appear to be colleagues or associates.
- Security oversights – LinkedIn’s security and fraud detection capabilities have not kept up with the rising threat of social media hacking. Account hacks often go undetected allowing attackers prolonged access.
- User negligence – Many LinkedIn users do not use unique passwords or have lax security practices making it easier for attackers to gain access to accounts through credential stuffing or password guessing.
In combination, these factors create a perfect storm for LinkedIn account hijacking and impersonation-based fraud.
How are the hackers gaining access to accounts?
Based on reports from victims, security researchers, and LinkedIn itself, here are some of the main tactics being used to hack into LinkedIn profiles:
Phishing attacks
Phishing remains one of the most common attack vectors. Hackers send fake login pages or security alerts mimicking LinkedIn in order to harvest account credentials from unwitting users. With obtained usernames and passwords, the attackers can easily take over accounts.
Malware and spyware
Malicious software like info-stealing Trojans and downloaders are being used to scrape login credentials directly from user devices. The malware can monitor browser activity and system processes to steal usernames, passwords, session cookies, and other account access data.
Credential stuffing
Automated bot attacks use large dictionaries of stolen credentials from past data breaches to access LinkedIn accounts. Where the reused email and password combination works, the bots can successfully compromise the account.
Password reset abuse
By exploiting the password reset function, hackers try to brute force their way into accounts by resetting passwords over and over until they guess correctly.
Social engineering
Skilled social engineers may directly manipulate users via phone, email, or messaging to hand over login credentials or other sensitive account details voluntarily.
What is LinkedIn doing about the hacking issue?
LinkedIn states that they are aware of the growing hacking and spamming issues reported by its users. They have outlined some of the steps being taken to combat these threats:
- Implementing automated anti-scraping measures to prevent large scale data harvesting from profiles.
- Improving abuse detection with machine learning to identify suspicious behavior.
- Reminding users to use unique passwords and enabling two-factor authentication.
- Streamlining account recovery and enhancing security around password resets.
- Providing better reporting mechanisms for users to flag suspicious activity.
However, many security experts feel LinkedIn needs to do much more to verify identities, detect account takeovers, and notify users of unauthorized access attempts.
Year | Reported Hacking Incidents |
---|---|
2019 | 2,254 |
2020 | 4,598 |
2021 | 8,642 |
2022 | 12,135* |
*Projected based on data for first 3 quarters
Best practices to prevent getting hacked
For LinkedIn users concerned about account security, here are some top tips to help avoid being targeted by hackers:
- Use a unique, complex password just for your LinkedIn account and enable two-factor authentication.
- Be wary of any emails or messages asking you to login or validate your account.
- Do not click links or attachments from suspicious emails or messages.
- Use up-to-date antivirus software to detect malware and phishing websites.
- Periodically review your LinkedIn privacy settings and connected apps/sites.
- Monitor your account activity and be alert to any abnormal behavior.
- Only connect with people you know and trust.
- Report any spammy connection requests or impersonation attempts.
What to do if you get hacked
If your LinkedIn account is compromised, act quickly to minimize damage:
- Reset your LinkedIn password immediately and enable two-factor authentication.
- Disconnect any linked apps or sites as a precaution.
- Warn your network contacts of the account breach.
- Look for and remove any spam or suspicious posts made from your account.
- Submit a report to LinkedIn’s customer service so they can investigate.
- Do a security check on your computer for potential malware infection.
The future of LinkedIn security
LinkedIn and other social networks need to improve security across the board to combat the rising sophistication of cyber criminals. Some measures that can help include:
- Leveraging AI to better detect fraudulent behavior and impersonation attempts.
- Introducing multi-factor authentication by default for all users.
- Enabling users to easily check login locations and in-session devices.
- Sending proactive notifications when unusual activity is detected.
- Building tools that help users analyze connection requests.
- Providing robust customer support for hacking and spam issues.
While hackers will always evolve their tactics, LinkedIn also needs to evolve its defenses. By being more proactive and transparent with security, LinkedIn can help reassure users and businesses who rely on the platform.
Conclusion
LinkedIn account hacking is on the rise and poses a serious threat to both individuals and organizations. However, with vigilance around security practices, awareness of common tactics, and quick response if compromised, users can help protect themselves. For its part, LinkedIn needs to treat the hacking issue as a priority and continue strengthening its fraud detection and prevention capabilities.