Last week I woke up to find a litany of emails from LinkedIn alerting me to shenanigans. There were password reset emails, pin codes, and even a message that 2FA had been turned on.
What?
I already had 2FA turned on and never turned it off.
Also: Did you get a fake invoice from McAfee? How the scam works and 2 things you should never do
I wondered if the AT&T breach could have been the cause of this situation because the timing was too suspect to ignore, but whatever caused it, I could no longer access my account.
I don’t actively use LinkedIn because I’m not actively seeking work and I don’t speak fluent business. However, when new clients are looking to add me to their roster of writers, that’s where they find me. So… it’s still an important account for me.
But that’s not the reason why I was so adamant about getting my account restored. Even though I don’t post on LinkedIn, a lot of my clients do post my work and tag me. Imagine if a hacker were to get access to my account and then trash my reputation by posting a barrage of terrible, horrible, no good, very bad things. We live in an era where that’s very much a concern (or should be) and anyone who gets an account hacked (even a Facebook or X account) should act to recover it immediately… otherwise the risk of falling victim to such reputation-ruining havoc could be disastrous.
Also: The best VPN services of 2024: Expert tested and reviewed
Let me make a quick public service announcement before I continue.
This is the very reason why it’s imperative that you start using a password manager to not only keep your passwords secure within encrypted vaults but to also start using passwords that are very strong and unique. It’s time to do away with password123 and start using things like Ur*t23xVj&_2112. On top of that, any time you can enable multi-factor authentication (or passkeys), do it. Even though nothing is perfect, the more security you can add to your accounts the better. My suggestion would be to always use passkeys (when more sites start making them available) because that’s your strongest option.
And now, back to our regularly scheduled programming.
LinkedIn.
When I realized the password reset wasn’t going to work (because the culprit had re-enabled 2FA after they’d changed my password), I had no choice but to go through the process of reclaiming my account.
Also: The best LastPass alternatives of 2024
When I started this process, I received an email from a third party called Persona. Given my usual suspicion of third-party services, I was hesitant to click on any link until I was absolutely certain it was legit. I went so far as to reach out to a contact I had with LinkedIn to ensure Persona was its account recovery service.
Lo and behold, it was.
Using the service required my phone because I had to take a photo of my driver’s license (which was why I was so hesitant to use the service in the first place). After clicking the link on my phone, it opened my camera app and guided me through snapping a photo of the front and back of my license. Unlike some reports of Persona, I did not have to take a selfie to prove the person in the driver’s license photo was the person attempting to recover the account (some services do require this).
After uploading the two photos, I was informed I would hear from Persona. I was surprised at how quick the response was. Within an hour of sending the photos, I received the reset link and had my LinkedIn account back. When changing the password, I used a ridiculously long string of characters and re-enabled 2FA.
In fact, I decided to make all passwords moving forward that long (I’m talking over 20 characters). We live in a world where being too safe is never enough. You have to be active in keeping your accounts protected because you can’t always count on the services themselves. Lock down LinkedIn with a weak password and no multi-factor authentication and it’s only a matter of time before you’re account is breached. If your account is breached, you could wind up the victim of a smear campaign or worse.
Also: How long should a password be? You’re asking the wrong question
The lesson here is more like a bullet list:
- Always assume your passwords aren’t strong enough and change them.
- Confirm a third-party service is legit before using it.
- Use multi-factor authentication for everything.
- If available, use passkeys instead of traditional passwords.
I was lucky it only took me a few days to recover my LinkedIn account. I was also lucky the hacker didn’t do anything with my account (so it seems). Luck won’t always be on the right side, so it’s on us to keep our accounts protected and, should any account fall prey to hackers, act immediately. The longer you hesitate to restore an account, the more time a ne’re do well has to wreak their special flavor of havoc.
Trust me when I say that you don’t want that.