LinkedIn users locked out and unable to reset passwords due to “known issue”

LinkedIn Password Resete
A couple of weeks ago account information, including emails and passwords, of approximately 167 million LinkedIn users went up for sale on the dark web.

The data for sale dated back to a LinkedIn hack occurring back in 2012 for which LinkedIn never revealed the extent of at the time, but it was believed that the hack had exposed 6.5 million password “hashes” only (with no associated email addresses, rendering the password “hashes” on their own all but useless).

Now the true extent of the 2012 data breach has become public, with over 25 times more accounts affected than previously thought. With passwords insecurely stored as SHA1 hashes without salt along with associated email addresses, the vast majority of these accounts were quickly cracked in the days following the release of the data.

Consequently, LinkedIn have now invalidated passwords for all accounts created prior to the 2012 breach whose owners had not changed their passwords since the 2012 breach, prompting the affected users to reset their LinkedIn passwords.

However, I’ve received a couple of reports in the past week or so from LinkedIn users who have had their passwords invalidated by this process, but who have so far been unable to reset their LinkedIn passwords and regain access to their accounts due to what LinkedIn are acknowledging as a “known issue“.

If an affected LinkedIn user attempts to login, they’re met with a very generic error:

Unable To Sign In To LinkedIn

If they try to initiate a password reset, they’re met with an equally generic error:

Unable To Reset LinkedIn Password

The user is therefore both locked out of LinkedIn, as their password has been invalidated, and are unable to reset it!

I reached out to LinkedIn last week, who informed me it’s a “known issue” and that their “engineering team is working on it but there’s no estimate as to how long that might take”

I’ve reached out to LinkedIn again today for an update. LinkedIn responded “Our engineers are still working on why the password change process is giving an error message. They are working on it but there’s no estimate as to how long that might take”

Interestingly, for those accounts that LinkedIn have “invalidated” passwords for, if the account was already logged in, the user’s active session itself wasn’t invalidated, and the user could remain logged in and post as normal. The only indication that their password had been “invalidated” would be if the user attempted to change an account setting which required re-entering their password:

Active LinkedIn Sessions Not Invalidated

(which if the user follows the “reset your password” or “Forgot password” links, they get the generic error messages above)

So, there have been a number of failings with LinkedIn:

  1. Firstly, the breach/hack itself back in 2012
  2. The reluctance/incompetence of LinkedIn to acknowledge the true extent of the 2012 hack at the time
  3. The inaction of LinkedIn to forcibly reset passwords at the time – and to wait 4 years before doing so!
  4. The invalidation of passwords but not also any “active” sessions
  5. The inability for affected users to reset their passwords & regain access to their accounts

Have you been unable to reset your invalidated LinkedIn password? Let me know!

Advertisements

8 thoughts on “LinkedIn users locked out and unable to reset passwords due to “known issue”

  1. Hi, I have been unable to access my LinkedIn account and after numerous attempts for password reset and communication with the LinkedIn Customer service Team to assist hasn’t resulted in me being able to access the account.

    Is there any other way for me to regain access to my account?

    Like

  2. Hi

    I have similar issue, i am getting rest link , entering the new password, then it saying same as you mentioned. what will be the option now?

    Like

    1. Hey Chetan,
      According to a couple of LinkedIn users I spoke to, the feeling is that this “may” be caused if you used a false name on your LinkedIn account (i.e. if they think your name is false, they suspend your account without any notification, and you end up with a similar situation to the one described in my blog).

      If you think that may also be the case for you, you’ll need to contact LinkedIn support and say you’ll update your name. In most cases like this, they’ll then allow you back in.

      Hope that helps! …but please report back and let us know how you got on!

      Like

  3. Even I faced the same problem of account lockout and I had to click on reset password link but nothing happened. I don’t know where and how to connect to linkedin support team. Is there any contact number where I can call? or any email address where I can send a mail to get my account unlocked?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s