

Ask HN: LinkedIn made me reset my password (my email was in the Gawker dump) - adelevie

I suspect LinkedIn is checking email addresses against the hacked Gawker data and forcing any matching accounts to reset their password. Here's an except of the email they sent me:<p><pre><code>  In order to ensure that you continue to have the best experience using 
  LinkedIn, we are constantly monitoring our site to make sure your account information is safe.

  We have recently disabled your account for security reasons.
</code></pre>
Is this happening to anyone else? for other sites?
======
look_lookatme
I appreciated that. I also appreciated them being vague about the reasoning.
No need to call Gawker out.

Fortunately I wasn't emailed by hint.io. I know they meant well, but it feels
shady, considering they headed off other people working to accomplish similar
goals (presumably without sending from their startup's domain)[1]

<http://news.ycombinator.com/item?id=1999410>

~~~
look_lookatme
Oh, actually I was emailed by hint.io, it was just marked spam by gmail.
Sweet.

------
zbailey
That is exactly what they're doing:

"As a proactive security measure, we've reached out to users potentially
affected by the gawker breach to change their password."

<http://twitter.com/#!/LinkedIn/status/14507486753062913>

------
skorgu
I got the following email from Blizzard as well as the one you mentioned from
LinkedIn:

Greetings!

We’ve recently been informed that several Gawker Media websites have been
compromised. These websites include Gawker, Gizmodo, Kotaku, Lifehacker,
Jezebel, io9, Jalopnik, Deadspin, and Fleshbot. To help minimize the effects
of this compromise and help keep your Battle.net account safe and secure,
we’ve reset your account password. To complete the password reset, please log
into Battle.net Account Management
(<https://us.battle.net/account/management>) and follow the provided
instructions.

If you are a registered commenter for any of these sites and used your
Battle.net email address to sign up with Gawker Media, we also recommend that
you update your Battle.net address as soon as possible via Account Management.
If you are unable to complete this step or the password reset on your own and
believe your account may be compromised, please contact our customer support
staff by using the Account Recovery form
(<https://us.battle.net/account/support/account-recovery.html>) and be sure to
check out our Account Security Awareness guide
(<http://us.battle.net/en/security/>) for additional security tips and
suggestions.

For more information about this situation, please visit Gawker Media’s
official announcement ([http://gawker.com/5713056/gawker-security-breach-were-
here-t...](http://gawker.com/5713056/gawker-security-breach-were-here-to-
help)) or Lifehacker’s comprehensive FAQ ([http://lifehacker.com/5712785/faq-
compromised-commenting-acc...](http://lifehacker.com/5712785/faq-compromised-
commenting-accounts-on-gawker-media)).

Regards, Blizzard Entertainment

------
ra
Kudos to linkedin if that's what they are doing.

Proactive security response.

------
seancron
I also got this email. I suspected it due to the Gawker incident, although I
wasn't sure. I wish they had been a little bit more specific.

I also got the email from hint.io, but it was marked as spam by GMail.

I was really glad when I found out about the incident that I used a throwaway
password that wasn't the same as my GMail. I've been keeping track of more of
my passwords with KeepassX, although I still use the same somewhat secure
password on sites where it doesn't matter.

As a side note: I'm trying to brute force/crack my hash to test how secure my
password is. I'm using John the Ripper with the command line:

    
    
      john -session:testing -incremental test.txt
    

So far, I'm 17 hours in at about 600000 c/s and it still hasn't been cracked,
so I feel somewhat secure about it, although I realize DES is considered
insecure.

------
ja27
Me too. So far today I've been locked out of GMail, LinkedIn and Twitter. I
thought it might be due to failed login attempts with a bad password, but it
sounds like it's all just proactive lockouts based on being in the file.

------
hardik988
Yes. This happened to me too. And my e-mail was in the Gawker dump too. In
fact I changed passwords of all my online accounts and completely forgot about
LinkedIn. But I appreciate them doing this.

------
xwert
And the "LinkedIn website" link was not like that?

hxxp://www.linkedin.com.qwe0923fffuuu.biz/ or similar?

If I was a phisher, I would have sent such things to all leaked emails...

------
tocomment
Maybe it's a phishing attempt? Be careful!

~~~
rohitarondekar
I don't think they are sending links inside the email. They just disable your
account, let you know about it and when you try to login next time they will
reset your password.

~~~
ja27
Yes - no link in the email.

\---

In order to ensure that you continue to have the best experience using
LinkedIn, we are constantly monitoring our site to make sure your account
information is safe.

We have recently disabled your account for security reasons. To reset your
password, follow these quick steps:

Go to the LinkedIn website Click on "Sign In" Click on "Forgot Password?" and
follow the directions on the website

------
vwelch
So I give kudos to linkedin for being proactive, but I actually do create a
different password for every site (stored in Password Safe/LastPass), so I'm
not looking forward to having to change all my passwords for no reason.

But yeah, I'm sure for the majority of users this makes sense.

------
mickdarling
Makes me feel better. I was "pretty sure" that i had only used Twitter OAuth
to comment, and have been unable to confirm that. I haven't received an email
from hint.io or a reset from LinkedIn so a little safer.

------
taitems
That's fine if that's their reasoning, but I got 4 or 5 emails to the same
effect. None of which really explained WHY I was being prompted so many times,
so I dismissed them all as spam/phishing.

~~~
train_robber
They possibly didn't want to call names.

------
helenw
I had the same email from linked in this morning but became suspicious because
yesterday, I was locked out of both my gmail and twitter accounts. Guess I'll
be staying tuned.

------
youngtaff
My email wasn't in the Gawker dump and yet both my LinkedIn accounts got
emails telling me to reset the password

------
flyosity
Happened to me too. I'm glad it was a proactive measure and not some script
kiddy trying to access my account.

------
rwhitman
I noticed I was locked out of Twitter today too

------
JoshCole
Nice, hopefully more sites will do this.

------
guiseppecalzone
I'm impressed.

