Major LinkedIn Account Takeover Campaign Underway

Written by

Security researchers have warned of a significant global account takeover campaign targeting LinkedIn users over recent weeks.

Cyberint claimed this week that desperate users locked out of their accounts are venting their ire at the platform’s support on social media. There’s been a spike in searches for LinkedIn support and advice on account compromise across social media as a result, the threat intelligence vendor claimed.

“Our analysis using Google Trends reveals a significant surge in the past 90 days in the volume of Google searches related to the hacked account campaign,” explained researcher Coral Tayar.

“Search queries such as ‘LinkedIn account hacked’ or ‘LinkedIn account recovery’ have experienced a substantial upward trend.”

She claimed the term “breakout” had seen a spike in searches of over 5000%.

The attackers try to breach accounts protected by multi-factor authentication (MFA) or brute force those protected solely by passwords, causing LinkedIn to temporarily lock legitimate users out and request that they verify accounts and update passwords, Tayar said.

In a worst-case scenario these account takeover attempts work, and the threat actor is able to change the password and email address associated with the LinkedIn account, effectively locking the real owner out.

Tayar said some victims have received ransom messages requesting a few tens of dollars to regain access, while others have seen their accounts being deleted outright.

She warned that access to accounts could enable not just blackmail, but also social engineering of contacts, covert data gathering or the dissemination of malicious content.

“Although the specific intentions of the threat actors are uncertain yet, whether they are financial, phishing, or internal information acquisition, the potential impact on victims is serious,” Tayar added.

“While a complete picture is still emerging, there are a few potential methods by which the threat actors might have first gained access. One possibility is that they have obtained data from an exclusive LinkedIn breach and are leveraging it to breach accounts that lack two-step verification. Another method could involve the use of brute force tools to penetrate the accounts, particularly those with shorter passwords.”

Read more on LinkedIn security: LinkedIn Becomes the Most Impersonated Brand for Phishing Attacks

Editorial image credit: 13_Phunkod /

What’s hot on Infosecurity Magazine?