Jump to content

My LinkedIn Profile Was Stolen, a Cautionary Tale


“ERIN SMITH IS A LIAR!!”

I went to log onto my LinkedIn profile, to post a link to my latest blog, but I was locked out of it. There was a message saying my account had been locked because of “suspicious activity”. But all I had been posting on it were links to my writing.

I checked my emails and found ones from LinkedIn, several of the many emails from them telling me someone had messaged me, someone had viewed my profile, someone had posted another notification, but the recent ones weren’t addressed to me, they were addressed to someone called “Erin Smith”. It was her name at the top of the email, her face in the message’s profile picture, but the email had been sent to me. The email address contained my full name, which certainly couldn’t be mistaken for Erin Smith. My profile had been stolen by this Erin Smith person.

I had no email address with which I could contact LinkedIn. All their emails to me were non-reply ones. It looked as if the only way I could contact them was if I could log onto my profile, but I couldn’t because it was locked. It looked as if I mightn’t get my profile back. It felt like it did when I was a child and another child at school stole my work book, scratched out my name, and wrote their name over it. It was my profile; I had created it and I wanted it back. It wasn’t fair.

When I tried to log on to my profile, I got a message asking me to confirm my identity. They required me to upload a photo of the information page of my passport. At first, I just wouldn’t do it. LinkedIn had let my profile be stolen right out from under me, how could I trust them with such personal information? But as the week stretched on my will weakened. This was mainly because I kept receiving emails from LinkedIn, all addressed to Erin Smith, congratulating her on all the connections she was making and notifying her she had yet another message. She was using my profile and I was still locked out of it. A week later I uploaded a photo of my passport to LinkedIn.

I heard nothing from LinkedIn for over a fortnight, except for all those emails addressed to Erin Smith. It was as if they were ignoring me.

Then, two weeks later, I received an email from LinkedIn actually addressed to me, by name. It had a time sensitive link to change the password to my account, which I used, straight away. I changed my password to a three-word phrase that also contained a date (not related to my birth or marriage dates). When I finally logged onto my profile, I received a message saying that LinkedIn did not keep old information from profiles. I thought nothing of it, I was too concerned to get to my profile and didn’t pay it much attention. In retrospect, this should have warned me to LinkedIn’s poor security. It they don’t keep a copy of a profile; they can’t observe that a profile has been hijacked and how can they protect their members?

My profile had been completely hijacked by this Erin Smith. She had changed everything but my contact details, that was why I was still receiving LinkedIn’s emails. I set about repairing her vandalism and returning the profile back to being my own. As I reversed her damage, I noticed something very obvious, Erin Smith was a fake persona.

She claimed to have been to university in both America and China, she had lived in both countries and gained separate degrees. She now claimed to live in France. She claimed to have worked for, first Microsoft and then L’Oréal, a strange work profile, and now she said she was running her own “Beauty Consultancy”, whatever that was. She mainly seemed to have been using my account to send out messages.

These messages all seemed to run along the same lines. She always messaged men who had their own companies, she certainly seemed to have a type, saying she didn’t know why LinkedIn had recommended them to her as a contact (??). If they replied to her, she’d flirt with them and then asked where they lived. Wherever the man lived, and they seemed scattered across Europe and America, she would tell them that she would be visiting their home city in the next month and would “love” to meet them.

This was obviously a fake persona and she was trying to catfish and con those men, but why did she need to steal my profile to do this? Why didn’t she just create a new one for this?

I spent a long time replying to all the men she had contacted, telling them that she stole my profile and she was fake and probably trying to con them. When she originally contacted them, she had control of my profile and her picture and name was at the top of the message. Once I had control of my profile back, my name and picture were returned to the top of the message, so hopefully it was obvious that she was trying to con them.

I was annoyed at all the time I wasted over this, especially having to return everything on my profile back to the way it had been. The next day I logged onto my profile again and found another message from LinkedIn. A third-party program had accessed my profile and they had blocked it. Only now LinkedIn decided to practice some security to keep my profile safe(ish). When I got to my profile, I found Erin Smith had accessed it again, though only to send out a message from it. Obviously, she had a program that allowed her to remotely send messages from my profile. This one was typical of her messages, to a male company owner, all flirtatious and wondering why LinkedIn was recommending him to her, accept the message had my name and picture at the top of it. He hadn’t replied to it but I still sent him a message saying Erin Smith was probably trying to con him.

I’ve logged onto my LinkedIn profile daily since then but Erin Smith, in all her fakeness, has not tried to send anymore messages from it.

I don’t use my LinkedIn profile to network and find work, anymore, I mainly just post links to my writing on it, but it is still my profile, about me, another little corner of the internet that is solely about me. That might sound selfish but I’m not an important person with a big presence online. My online presence is very small but having my LinkedIn profile stolen away from me felt like another part of me had been taken away, I was cut off from people I once knew and worked with. I wanted it back and it was a relief to finally have it back.

I don’t know how she was able to steal my profile. I didn’t share my password and I only logged onto it from my home computer, which is protected by a reliable security program. How did she get hold of my password? Only I and LinkedIn knew it and I kept it secure.

I am still so angry at LinkedIn for letting this happen. Why didn’t they have systems in place to notice things like this. Erin Smith changed everything on my profile accept my contact details, why didn’t LinkedIn’s systems notice this and flag up what had happened? LinkedIn still doesn’t have two-step verification. I’ve created a password as strong as I can but that is all I can do; LinkedIn needs to step-up and start protecting their users.

I used to consider two-step verification an annoyance, especially if I’d left my phone away from my computer, but not anymore, not after this.

LinkedIn keeps promoting their premium membership to me, which is paid for, telling me how good it would be if I upgraded to it. If this is how they treat me as a basic member, I cannot trust them to treat me any better if I pay for a premium membership, and what good would that do for me anyway?

 

Drew

 

PS. Find my LinkedIn profile here.

  • Like 1
  • Wow 3

6 Comments


Recommended Comments

Mikiesboy

Posted

What a horror show to have to go through. As i read and you explained what you do with your LinkedIn profile, i asked myself the same... why didn't 'they' create their own?  Maybe you're just a number of people this has been done to.  Maybe 'they' are just sadistic.

Sorry you had this happen.

  • Like 3
Drew Payne

Posted

3 hours ago, Mikiesboy said:

What a horror show to have to go through. As i read and you explained what you do with your LinkedIn profile, i asked myself the same... why didn't 'they' create their own?  Maybe you're just a number of people this has been done to.  Maybe 'they' are just sadistic.

Sorry you had this happen.

Thank you.

It was as I started to write this blog, it occurred to me, why didn't she just create a new, fake profile?

I've heard of this happening to other people but it was still a shock to have it happen to me. My only advice is to have a really long password because LinkedIn doesn't seem that concerned about our security.

  • Like 3
chris191070

Posted

Sorry this happened to you.

  • Like 3
Drew Payne

Posted

2 hours ago, chris191070 said:

Sorry this happened to you.

Thanks, but at least I was able to get it back

  • Like 3
lawfulneutralmage

Posted

Account hacking is awful!

Security is not only the responsibility of the user, but also of the service provider. And there are MANY black sheep. Doing security correctly is complex and thus expensive...

So, we users can only do so much i.e. dealing with our passwords. The number of possible combinations of the characters in a password is expressed as:

(number of potential characters than can be used)^(number of characters in the password)

So, in shorter passwords, it is good to have many potential characters including special characters i.e. not alphanumeric, but generally, the number gets much bigger much quicker if the password is longer. So, make a pass"word" a pass"phrase" like "Darius1of2Persia3was4drunk5like6HELL7". Capitals, lower case, numbers, long and still memorable. Use special characters only if forced to, rather make the password longer.

Use a different password for each service. NEVER recycle passwords.

Use a password manager like KeePass to store and generate passwords. Always make them as long as the service permits.

Some passwords, like those required as basis for communication and identity e.g. email service, should not be cryptic. Those passwords must be long, but memorable!

As described, use two-factor authentication wherever reasonably (!) possible. Such a 2FA service is reasonable if it allows to store recovery keys! Otherwise, if the phone is gone for whatever reason, the account will be inaccessible! It is possible to export the 2FA keys from the 2FA app on the phone, but only if the app allows that like Aegis. The usually advertised big ones do not (at least a year ago when I chose Aegis to be able to back up the 2FA keys). Also, if possible, add a second 2FA phone number to the service, if possible and if allowed.

Generally and unfortunately, the more pain you experience, the more secure it is :)

  • Like 1
  • Love 1
Drew Payne

Posted

@lawfulneutralmage, thank you for such solid gold advice and thank you for adding it to my blog.

I try to make my passwords as long and as complicated as possible, but as you say, security is a two-way street.

  • Love 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...