LinkedIn Password Change Notification Randomly Sent to Previous Employers
After the leak of roughly 6.5 million hashed passwords last week and the failed “mandatory password update for the affected accounts”, LinkedIn’s password reset confirmation e-mail has backfired by disclosing the reset to victims’ previous employers.
The password-reset confirmation appears to be randomly sent to a number of e-mail addresses the user is likely connected with. Based on our observations, these notifications are sent to e-mail accounts with current or previous employers – even if these e-mail addresses have never been associated with the LinkedIn account.
Example: Password reset notification for a user, sent to qscan@bitdefender. The Quick Scan account has never been associated with LinkedIn in any way.
The service notifies the user at e-mail addresses he or she doesn’t control allegedly to minimize phishing attacks following the leak of the hashed passwords. Although the LinkedIn message doesn’t mention the username, password or other identification for the user’s account, this alleged security feature counts as unnecessary disclosure of activity that may actually work against the user by informing third parties of his or her whereabouts.
We have notified LinkedIn about the issue.
About The Author
someone
I had the same issue, got a response from LinkedIn support. These email addresses are stored in your account. Every time someone expresses a desire to connect to you, linkedin sends an invite to the address your connection provided. Once you click to accept the connection, the email address is added to your account once you log in (makes sense, by accepting and logging in you’ve verified access and account ownership).
To see (or remove) what is stored go to settings -> account -> add & change email addresses and you can remove old addresses.