It's a job hunter's best friend: LinkedIn, the online networking site for professionals looking to boost their careers. But along with the job history, users are offering a gold mine of personal data for potential identity thieves. What can you do to gain the rewards of using LinkedIn, while minimizing the risks?
According to recent news reports on komonews.com and krebsonsecurity.com, a pair of "ethical hackers" has discovered a way to track down users' e-mail addresses and, possibly, be on their way to stealing those users' identities.
Bryan Seely and Ben Caudill of Rhino Security labs discovered the hole, reported komonews.com. The two are becoming known as gadflies on the internet, after they also showed how anonymous posts on the website Secret were not so anonymous. Seely also exposed a flaw in Google Maps, figuring out how users can "mapjack" the program to create fake business listings or change the descriptions for other businesses.
With LinkedIn, much of the problem revolves around LinkedIn's encouragement for users to tap their contact lists in e-mail and other accounts to find people they know who also are using LinkedIn, komonews.com reported. However, most people use a combination of their first and last names and initials to create their e-mail address. By trying assorted combinations of a specific person's name and initials, these hackers often successfully zeroed in on the correct e-mail addresses. They therefore earned the ability to message these people.
In addition to invading a user's privacy, the news sites reported, hackers could use the correct e-mail addresses to log into users' other accounts. They also could send fraudulent e-mails and spam from that address.
LinkedIn officials say they are working on a fix, the stories reported. Users now can ask to opt-out of having their e-mail addresses discoverable. Long term, reported the websites, LinkedIn is considering an opt-out box that users could check so they can't be discovered via their e-mail address.
Meanwhile, the LinkedIn help center has these tips for protecting your identity on the site:
- Never give out sensitive information if you have any doubts about who will receive it. Go directly to a business website to enter personal data, don't click through an e-mail. Check the browser to make sure the address bar reads "https://" which means it is likely secure.
- Legitimate LinkedIn messages will always be addressed directly to you. Be wary of anyone asking for your bank or financial information.
- Use a strong password. Don't use it to access other sites, and don't use a word from the dictionary.
Don't give out your financial information unless you reached out first. And, don't share too much on social networking sites. Identity thieves often can use information found there to crack security questions.