LinkedIn is far from the only company to suffer a massive data breach, but the company's response to the incident is unique — in all the wrong ways.
First, a short timeline: On June 6, the passwords of more than 6.4 million LinkedIn users hit a Russian Web forum after a reported hack. After repeatedly issuing statements saying nothing was wrong — and prompting widespread criticism from security experts — LinkedIn finally admitted late in the day that the security breach was real.
To alert its millions of potentially compromised members, LinkedIn issued a list of security steps to help users from having their accounts hijacked. LinkedIn said affected users would receive an email from LinkedIn on how to reset their passwords.
[LinkedIn, eHarmony Don't Take Your Security Seriously]
Those emails have set off another series of problems. About a quarter of a million of the legitimate LinkedIn email alerts ended up in spam folders, according to Computerworld. Andrew Conway, a researcher at the security firm Cloudmark, told Computerworld that LinkedIn's emails weren't the problem — they were all addressed to the recipient by name and contained no links — it was that those recipients were expecting spam, and ready to delete it when it came.
"Part of the problem is that people are used to getting email that they don't want from LinkedIn, and rather than unsubscribe, some of them just mark it as spam and hope that it will go away," Conway said.
Softpedia reported that some of the notifications from LinkedIn were, in fact, poorly worded, and did not contain any "precise information" — the hallmarks of traditional spam messages.
The fallout from the data breach doesn't end there for LinkedIn. In attempting to rectify the problem for its affected members, LinkedIn mistakenly sent the password reset notification emails to current members' former employers, regardless of whether their email addresses have ever been associated with LinkedIn.
As Bitdefender reported, the LinkedIn notification doesn't include the username or password of the compromised member's account, but "this alleged security feature counts as unnecessary disclosure of activity that may actually work against the user by informing third parties of his or her whereabouts."