How My Former Employer Hacked My LinkedIn Account

Yesterday My LinkedIn account was hacked I got an email at 10:03 AM that my password had been reset by someone at the IP address 209.173.39.18. And then they tried to do it again a little while later. I did not see the emails until the early afternoon. I immediately reset my password and enabled two factor authentication. Basically, two factor authentication means that in addition to entering a password, one has to enter a verification code they receive by some other means like a call or text. Next I disabled all the 3rd party apps which I've intergrated into LinkedIn. I didn't get a password reset email sent to my email address, so I assumed that there must have been some permissions exploited in one of those apps.

Next I set out to see if I could find out who the nefarious party was. Looking up the Whois record for 209.173.39.18 I discovered it was locally owned by an ISP called Aeneas. From the Whois record I also got connect information so I could send then an email. Today they got back to me: "That IP address is reserved for a company in Nashville that your resume shows you were employed at recently - By chance could it be something as simple as perhaps a computer or another electronic device that was at your former employer that might have had your credentials saved on it and they did not wipe your information from it before handing it to another employee?" I was quite impressed by the level of research, and, since there wasn't any major spamming done from my LinkedIn account and it didn't appear to be overtly vandalized, I figured that this was probably the case. They probably hired somebody, gave them my old laptop, and when the email address autofilled with my email they typed in their password and got error, leading them to reset the password.

But why didn't I get a password reset email? I also thought I had been pretty religious about only opening personal accounts in a Chrome incognito window. The incognito version of Chrome deletes browsing history, form data, passwords, cookies, etc. It's a pretty safe option for a computer others may get access to. I even use it at home Before Chrome came out I had my Firefox set to dump all that data when I closed the browser.

Believing the likelihood of the explanation from Aeneas, I emailed my former boss, Tony Dover, to inform him of what happened and see if he could delete any data from that browser. In his reply I learned that it was something much worse. It was not leftover browsing data. I have been using LinkedIn since 2008. I've gone through a few emails since then. I left old work emails associated with my account in LinkedIn so people could find me searching by email. All the emails from LinkedIn went to my primary email, anyway, which I had set to my personal email. Or so I thought. As it turns out this is not the case.

PatientFocus has a LinkedIn page. It doesn't really get used, and apparently I was still the owner despite having left the company almost a year ago. Had they asked, I would have happily turned it over. But they didn't ask. To gain control of it, they reset the password to my LinkedIn account using my old PatientFocus work email. Apparently if you put in an email address to reset your password, the email with the link to do the resetting goes to that email address, not the one you have set as primary which all other LinkedIn emails go to. Because PatientFocus has access to my old work email account, they were able to use it to change my password and gain access to my account.

Needless to say, I have removed all email addresses which I no longer have control over from my LinkedIn account. I know two factor authentication is supposed to protect me, but after this experience I am a little wary. I am also disappointed by the way my former co-workers violated my privacy and hacked into my personal LinkedIn account.