A couple of weeks ago account information, including emails and passwords, of approximately 167 million LinkedIn users went up for sale on the dark web.

The data for sale dated back to a LinkedIn hack occurring back in 2012 for which LinkedIn never revealed the extent of at the time, but it was believed that the hack had exposed 6.5 million password “hashes” only (with no associated email addresses, rendering the password “hashes” on their own all but useless).

Now the true extent of the 2012 data breach has become public, with over 25 times more accounts affected than previously thought. With passwords insecurely stored as SHA1 hashes without salt along with associated email addresses, the vast majority of these accounts were quickly cracked in the days following the release of the data.

Consequently, LinkedIn have now invalidated passwords for all accounts created prior to the 2012 breach whose owners had not changed their passwords since the 2012 breach, prompting the affected users to reset their LinkedIn passwords.

However, I’ve received a couple of reports in the past week or so from LinkedIn users who have had their passwords invalidated by this process, but who have so far been unable to reset their LinkedIn passwords and regain access to their accounts due to what LinkedIn are acknowledging as a “known issue“.

If an affected LinkedIn user attempts to login, they’re met with a very generic error:

If they try to initiate a password reset, they’re met with an equally generic error:

The user is therefore both locked out of LinkedIn, as their password has been invalidated, and are unable to reset it!

I reached out to LinkedIn last week, who informed me it’s a “known issue” and that their “engineering team is working on it but there’s no estimate as to how long that might take”

I’ve reached out to LinkedIn again today for an update. LinkedIn responded “Our engineers are still working on why the password change process is giving an error message. They are working on it but there’s no estimate as to how long that might take”

Interestingly, for those accounts that LinkedIn have “invalidated” passwords for, if the account was already logged in, the user’s active session itself wasn’t invalidated, and the user could remain logged in and post as normal. The only indication that their password had been “invalidated” would be if the user attempted to change an account setting which required re-entering their password:

(which if the user follows the “reset your password” or “Forgot password” links, they get the generic error messages above)

So, there have been a number of failings with LinkedIn:

1. Firstly, the breach/hack itself back in 2012
2. The reluctance/incompetence of LinkedIn to acknowledge the true extent of the 2012 hack at the time
3. The inaction of LinkedIn to forcibly reset passwords at the time – and to wait 4 years before doing so!
4. The invalidation of passwords but not also any “active” sessions
5. The inability for affected users to reset their passwords & regain access to their accounts

Have you been unable to reset your invalidated LinkedIn password? Let me know!