LinkedIn user alerts mistakenly blocked as spam

Researcher says more than 4% of intended recipients blocked LinkedIn's email instructions on resetting breached passwords

Many of the LinkedIn emails alerts instructing users on how to reset passwords accessed by hackers were dumped into spam boxes, according to email security vendor Cloudmark.

In a blog post on Tuesday. Andrew Conway, a Cloudmark researcher, said a substantial increase in spam reports last weekend were traced to LinkedIn password reset email alerts

In many cases, the emails that users' marked as spam were legitimate alerts from LinkedIn, Conway said.

"Over 4% of the people receiving this email thought it was spam and sent it straight to the bit bucket," Conway said. "If Linkedin sends out 6.5 million emails, then a quarter of a million people are congratulating themselves on avoiding spam -- and still have a compromised Linkedin password."

Conway said that LinkedIn did all the right things to ensure that users would not treat its emails with suspicion. All were addressed to the recipient by name, did not contain any links and were DomainKeys Identified Mail (DKIM) signed to validate their authenticity.

"Even so, it was taken for spam," Conway said. "Part of the problem is that people are used to getting email that they don't want from LinkedIn, and rather than unsubscribe, some of them just mark it as spam and hope that it will go away."

In an email to Computerworld, Conway said that Cloudmark, a provider of messaging security services to Internet Service Providers, monitors messages for clients by assigning a number of digital signatures based on the content of the messages. Thus it can determine which signatures are present on emails that are manually flagged as spam by users.

"The Linkedin compromised email message[s] generated several unique signatures, so we are able to measure the rate at which these are marked [by users] as spam," he said.

Cloudmark was able to confirm that LinkedIn, and not spammers had sent the alerts because the emails were DKIM signed by, he said.

The alerts were sent after hackers last week accessed about 6.5 million hashed passwords from a LinkedIn database and posted the stolen data on Russian hacker site.

By last weekend, most of the passwords were believed to have been decrypted by hackers and made available in plain text on many sites.

LinkedIn has confirmed the password compromise but released few details about the incident.

In three separate LinkedIn communications about the incident, the company didn't say how the passwords were accessed or whether other data, such as email IDs, were also compromised. LinkedIn said only that no email IDs have yet been publicly posted.

The latest LinkedIn update, posted yesterday, repeats much of the information that was included in previous notes.

The latest post did say that all passwords posted by the hackers, and that "we believed created risk for our members, based on our investigation," have been disabled.

Since the attack, LinkedIn has come in for some criticism for not better protecting passwords.

The company has said that it has completed a "long-planned transition" from merely hashing passwords to a system that both hashes and salts passwords. Salting is a process in which a random string of characters is appended to a password before it is hashed.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts