Don’t Hit Delete! That Might Be a Legit Password Reset Notification Email from LinkedIn

With all this news about hacks, password leaks, and phishing scams, it's no wonder most people have become cautious and paranoid when it comes to opening emails that notify them that their passwords had been reset successfully.

And rightly so. It's better to be safe than sorry, and paranoid rather than overly complacent, right?

If you're a LinkedIn user or if you've got an account on the networking site, then you've most probably already heard about the password hash leak where close to 6.5 million login details were revealed. LinkedIn has advised all users, however, to change their passwords as soon as they can, to be on the safe side.

Unfortunately, emails confirming that the user's LinkedIn password has been changed are being mistaken for spam. Why? Because LinkedIn's notifications system is doing a crummy job and is sending these messages to email addresses that are not associated with the affected accounts at all.

This was according to security researchers from BitDefender, who reported on the matter as soon as they got wind of it.

Although the LinkedIn message doesn't mention the username, password or other identification for the user's account, this alleged security feature counts as unnecessary disclosure of activity that may actually work against the user by informing third parties of his or her whereabouts.

-- Bogdan Botezatu, security researcher at BitDefender

The situation was talked about and explained further by Cloudmark's research team as the security firm noted an increase in spam reports filed by users regarding the messages.

These were not because spammers were trying to take advantage of the publicity around the Linkedin fail. This was a real email from Linkedin telling people how to protect their account. Over four percent of the people receiving this email, thought it was spam and sent it straight to the bit bucket.

-- Andrew Conway, security expert at Cloudmark

Talk about ironic. Hey LinkedIn, what you can do instead of zealously sending out these "unnecessary disclosures of activity" is do a better job at keeping hackers out of your system.