The deluge of spam dropped on members of LinkedIn (NYSE: LNKD) last week perhaps could have been expected after a data breach at the site exposed 6.5 million of their passwords. Those messages, though, are more likely to harm members unaffected by the breach than those victimized by it.
That's because members who had their passwords compromised also had them wiped by LinkedIn. To reset those passwords, they have to go through a two-part process. They have to respond to a message from LinkedIn informing them that their password has been compromised. Then they receive a message from LinkedIn with a reset link.
If a spammer sends a bogus password reset request to an affected member before they receive a message from LinkedIn and they're fooled into giving the spammer a username and password, the password won't work because it has been suspended by LinkedIn.
That's not the case with an unaffected account, though. A spammer who teases a password from one of those members will have a password that can be used to compromise the account.
Some of the spam campaigns attempt to emulate the LinkedIn reset process, explained Eset Senior Researcher Cameron Camp. "They say, 'Your password has been compromised. Click on this link here,' and when you do you're sent to places where you have to enter your user name and password to LinkedIn, which allows them to gather user names and passwords from people who are not affected by the breach," he told TechNewsWorld.
News 2 years ago