Hackers are on a spree of hijacking LinkedIn accounts, in some cases monetizing the attacks by demanding a small ransom from users to regain access and threatening permanent deletion.
Though LinkedIn, a subsidiary of Microsoft, has not yet commented publicly about the campaign, it has affected people worldwide over the last few weeks. Conversations on social media and Google searches indicate a “significant surge in the past 90 days” of account hacks on the professional-oriented social media platform, according to a recent report published by Cyberint.
LinkedIn support response time for users has lengthened under the high volume of support requests, indicating that something is amiss, Coral Tayar, a security researcher at Cyberint, wrote in the report.
“[Google] search queries such as ‘LinkedIn account hacked’ or ‘LinkedIn account recovery’ have experienced a substantial upward trend … while the term ‘breakout’ in place of percentage indicates that the search term grew by over 5,000%,” she wrote.
Two Attack Scenarios
Despite its silence so far on the matter — which has caused some ire among users — LinkedIn appears to be aware of suspicious account-related activity. LinkedIn did not immediately respond to a request for comment today.
“Absolutely furious with LinkedIn right now!” one person raged on X, formerly Twitter, according to a comment published in the report. “Fell victim to a hack and their pathetic excuse for a security system couldn’t stop it. No response from them either.”
However, in reports of account hacks posted online, two scenarios have emerged, one in which LinkedIn already has taken some action on the part of users. In that scenario, LinkedIn temporarily locks a person’s account due to suspicious activity or hacking attempts and then notifies the user of the action, asking that they verify accounts and update their passwords to regain access.
“In this case, the threat actors possibly attempted to breach accounts with two-factor authentication or tried brute-force attacks on passwords, leading LinkedIn to block these attempts,” Tayar wrote.
The second scenario is more unfortunate in that victims’ LinkedIn accounts are fully hacked in such a way that it’s impossible for them to recover their accounts independently. In this instance, attackers gain access to the account and alter the account’s associated email address to another email address, often using potentially generated addresses using the mail system of rambler.ru.
Attackers then proceed to change the password of the account and, since they changed the account email address, the user can’t recover their login details using the previous email address linked to the account, as might typically occur.
“Some victims have received ransom messages (typically requesting a few tens of dollars) to regain access, while others have witnessed their accounts being deleted outright,” Tayar wrote.
History of Targeting LinkedIn
LinkedIn is no stranger to being a target of cybercriminals; Last year, the platform was deemed the most abused brand in phishing attempts, likely due to its recognizability and widespread use in the corporate world. And as recently as June of this year, North Korean APT Lazarus was spotted using fake LinkedIn profiles to target security researchers in a phishing campaign.
In another spear-phishing campaign discovered last July, attackers targeted LinkedIn as part of an effort to take over Facebook Business accounts to run malvertising schemes.
While the motive behind the recent account-takeover campaign remains unclear, there is a range of malicious activity that threat actors can engage in using compromised profiles, Tayar noted. Attackers can use someone’s LinkedIn profile to socially engineer phishing campaigns by impersonating a trusted colleague or supervisor.
They also can glean valuable information by accessing conversations between business colleagues, or cause reputational damage to victims by using their accounts to make posts containing malicious content or send damaging or threatening messages to business connections.
Indeed, “we live a significant part of our lives online, and we don’t want our online identities in the wrong hands,” notes Emily Phelps, director of threat intelligence firm Cyware.
Confirm LinkedIn Account Access Now
Due to the potential scope and seriousness of the breaches, Cyberint strongly advises users to log in to accounts and confirm access promptly. Users also should ensure that all contact information found within their accounts is genuinely theirs, and contact LinkedIn immediately if they’re locked out and can’t recover the account using email.
LinkedIn users also should check their email inboxes for messages from LinkedIn indicating the addition of an extra email to their accounts, which could mean they were hacked. “If you didn’t initiate this action and find such an email, consider it a significant warning sign” and follow up, Tayar wrote.
Shoring up password security and adding two-step verification, a feature that LinkedIn and other platforms offer for account access, also can further secure someone’s profile against compromise.