With more than 6.4 million LinkedIn passwords leaked onto a hash-cracking forum this week, there is no wonder that spammers will have a field day with the confusion it brought. Cameron Camp, a security researcher for the ESET cybersecurity software company, announced that ESET had been notified by “several” people that they had received spam emails purporting to be from LinkedIn. The emails asked users to confirm their email address with LinkedIn, and provided a link to do so. Camp reports that the link actually sent users to an online pharmacy. This spam email resembles others such as the Google+ spam email that was identified earlier this year.
LinkedIn yesterday responded to the password leak within a few hours, announcing on its blog that affected accounts had been disabled and that members would be receiving instructions on how to reset their password. One point Vicente Silveira, director at LinkedIn, made clear in his blog post announcing the company’s response was that the emails sent out would not contain any links to reset passwords. From the post:
…members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.
This mirrors password advice Silveira gave in an earlier blog post yesterday where he stated that users should never change their password by following a link in an email they did not request. As Camp pointed out, these types of email spam are common, and these particular emails might not be related to the recent password leak. Still, users should be careful of these types of spam and other, more malicious phishing attacks which redirect users to websites spoofed to look exactly the same as the login page for a website they use.
(Screenshot courtesy ESET)