It was one fine evening when I received an email from linkedin that, there is a suspicious login in my account.
I was chilling, watching the Indian Premiere League (IPL) and was super excited to watch the Google I/O 2023 event (more execited about the launch of the Pixel 7A device).
Reading that email my reaction was like,
That email created a moment to panic for me, since I was unprepared for the next steps. The following things happened after then,
- The hacker changed the primary email address of the account,
- The attacker enrolled a 2FA device into my account, and then he logged the account out of all devices.
Confetti moment 🥳. My request was approved, my documents were approved and I got access back to my account.
What were the primary reasons the account got compromised?
Well, according to me, the mistake was from both ends (from me and linkedin), i will also try to explain what are the loopholes still there in linkedin account recovery system.
- I shamefully agree to say, that my password was guessable (this is very shameful, and this could have been prevented, but my lazy ass prevented me to do so). The password was obviously guessable as my email address @1234 😆
- I had no 2FA device enrolled, which could have prevented the actor getting into my account in the first place even though he had guessed my password (my bad)
- Here is the most scary part about Linkedin that i think should have been implemented by the team. LinkedIn currently allows changing email (primary factor to login) without sending any verification code in that email address. So, this way the attacker got into my account, and he could change the email address of the account without requiring any verification code to change the email id.
Well, what happened could not be prevented, as it happened so fast. So my next steps were to open a case to Linkedin support team. I did it, and they were very supportive. Here is a snapshot of the case that I opened.
I was so anxious that moment, that whether I would get access back to my account ever or not. You cry for some things when you have spent a lot of efforts behind something. in my case, I had lot of efforts in building my linkedin, networking with people, sharing with my connections about my blog articles etc, my achievements at work too………
I also notified about the account compromise to my friends and office colleagues, so that were aware before-hand before everything un-intended got posted on my account.
BEFORE
AFTER
Since linkedin is a professional networking account, it could have terribly spoiled my image.
I immediately went back to my twitter account, tweeting about this tagging linkedin to bring this incident to their notice.
This shows how much I cried that day just to get access back to my account. 😿
I received a reply from the linkedin support team few moments after i tweeted. 👏🏽 Shoutout to the great folks at Linkedin who supported end to end in this case.
The next day, i received a reply to the case to prove that I was the original account holder, by uploading government approved documents (signed by me). I submitted my documents, and I was waiting biting my nails, if those documents would successfully retrieve my account or it would permanently remain suspended.
It becomes very difficult to convince companies, that my account was compromised. You get a death-blow literally when you first see an email notifying there was an unexpected login to the account.
Well, 🙏🏼 my prayers did not go to vain, I got access back to my account next day itself. I will have to accept the LinkedIn team was very actively working on the case.
Then, next day I set myself free for 30 mins, i set a very strong password, not easily guessable at all this time.
- Used a password manager (1password)
- Enrolled 2FA using Google authenticator.
What were my takeaways through this incident, and why you should take 2FA seriously?
Always use a non-guessable, and strong password. If your brain can’t take all that stress of remembering all of your account’s password, just use a reputable, password manager. In my case, I used 1password.
Also, please please use 2FA (FIDO tokens/google authenticator)
Since, I am working with FIDO tokens at Infineon Technologies, and are developing FIDO tokens in-house, I would always suggest you to buy a FIDO token and use it across all your accounts. It is very convenient mode of 2FA, once you enrol it to your account, you just find a better way of authorizing your login in apps next time, even your passwords are handed over to a threat actor next time.
In today's ever-evolving digital landscape, the need for robust security measures has become more critical than ever before. Two-factor authentication (2FA) has emerged as a highly effective safeguard against unauthorized access to personal and sensitive information. This method adds an additional layer of security to the traditional username and password combination, making it significantly harder for malicious actors to breach accounts. While it may seem inconvenient to some, taking 2FA seriously is essential for safeguarding our online identities and protecting ourselves from devastating cyber threats.
First and foremost, 2FA provides an extra level of defense against password-related attacks. With traditional login credentials alone, cybercriminals can exploit various techniques like phishing, social engineering, or brute force attacks to gain unauthorized access to accounts. However, when 2FA is implemented, an additional authentication factor, such as a unique code generated on a separate device or a fingerprint scan, is required to complete the login process. This means that even if an attacker manages to steal or crack your password, they would still need the second factor to gain access, significantly reducing the likelihood of successful unauthorized access.
Furthermore, 2FA greatly enhances security for online services that hold sensitive data, including banking, email, and social media platforms. The consequences of a data breach can be catastrophic, leading to identity theft, financial losses, and even reputational damage. By implementing 2FA, users create an additional barrier that adds complexity to the attack surface, deterring potential hackers. Even if a user's password is compromised through a data breach or a weak password, the second factor required by 2FA acts as a strong defense mechanism, preventing unauthorized access and significantly mitigating the risks associated with stolen credentials.
In conclusion, the importance of taking 2FA seriously cannot be overstated in today's digital age. While it may require an extra step during the authentication process, the benefits of this additional layer of security far outweigh the minor inconvenience. By implementing 2FA, users significantly reduce the risk of falling victim to password-related attacks and enhance their overall security posture. With the ever-increasing sophistication of cyber threats, it is essential for individuals, businesses, and organizations to adopt 2FA as a fundamental security practice to protect their sensitive data and preserve their online identities.
I will also be attaching some buying links to buy a FIDO tokens for yourself. But here are two big companies in this game,
- Yubico
- Thetis