LinkedIn Blackmail and Management Lessons

I received yesterday a mail asking me for money in exchange of deleting some video related to some unspecified ”porn activity” I was supposed to have done in the previous days. Clearly a hoax, as I suspected from the very beginning and confirmed by a quick search. Supposedly, 164 million of us had their credential stolen from LinkedIn, so no wonder that we are receiving mails trying to extort money.

As this is a tentative of extortion, and extortion is a criminal offense, I reported to LinkedIn and Outlook. Now this is the reply I got from LinkedIn:

<quote>

Response (06/05/2019 18:48 CST)

Hi (contact’s first name),

Thanks for contacting us about this. Were aware of this scam message being sent outside of our platform and watching closely to ensure our members stay protected. We encourage our members to utilize our Safety Center as a resource to educate and protect themselves from frauds online.

In 2012, LinkedIn was the victim of an unauthorized access and disclosure of some members’ passwords and those accounts affected had mandatory password resets. We have reviewed your account and do not see indications that it has been compromised. To ensure your account remains secure, we took the actions previously outlined.

We strongly recommend these best practices for your online privacy:

- Turn on two-step verification as an added layer of security: https://www.dhirubhai.net/help/linkedin/ans

- Check the email addresses on your account to ensure they are current: https://www.dhirubhai.net/help/linke

Regards,

Troy LinkedIn Safety Operations Support Specialist

</quote>

First of all, no wonder that they got their data stolen, they can’t even manage to run a script that substitute (contact first name) with the actual name. Wow.

As well, ”We do not see indications that it has been compromised”. Uhm. If I go to haveIbeenpnewd.com it appears that my address HAS been compromised. Some Zac was able to send a mail to the email address I use exclusively for LinkedIn (I stress: EXCLUSIVELY) with the password I used to have years ago, but they do not see any indication that my account has been compromised. Ever. I obviously must go around with a post-it on my forehead with a few login-password couples from years ago.

I don’t have much time for this, but I just cannot but notice a few extremely bad practices in management, typically:

1. Denial: there was a massive screw-up some time ago; there are reports since 2018 that apparently a large number of people have been ”attacked. Be open. Do a pop-up message to ALL members saying ”if you receive a mail like this, just report it to this address and delete it, it’s a scam”. That will save our time.

2. Divert the blame: The screw-up was on your side. Totally. Now you tell me that I should do something (turn on two-steps security etc) as if it was MY negligence.

3. Minimising: ”some members” was 164 millions. That would be the fifth most populated country on earth, with the population of Germany, Italy and Australia combined.

Being LinkedIn a supposedly professional network, what you show is complete incompetence. Incompetence in keeping data safe. Incompetence in following up an incident. Incompetence in communication. The message should have been something like

”Hi Alex, we know. There are a lot of them going around. Rest assured that all our procedures changed since then, and we have now a pro-active stance in chasing down these hackers. We are collaborating with the relevant authorities to bring the whole network down and we are committed to make Internet a safer place. Really sorry about it”.

But guys, you can’t even run a script ...