When LinkedIn was hacked earlier this month, resulting in over 6 million passwords being stolen and publicly posted, they immediately responded and reached out to their affected customers. However, there was just one problem, The email they sent, notifying members of the hacking incident and instructing them on how to reset their passwords, was ignored by roughly 4% of recipients, most of who promptly reported it as spam-that’s about a quarter of a million people whose ignorance has left them with a compromised account. The emails were 100% legit and DomainKeys Identified Mail (DKIM) digitally signed by LinkedIn.
This is not a new problem. Many users, when they receive a newsletter or other email they don’t want, are either too lazy to look for and follow unsubscription directions, mistakenly believe any and all unsubscription links are bad, or just won’t take the time to check out emails like LinkedIn’s. The news about the attack was all over the net, leading me to believe the users who marked the notices as spam probably aren’t active LinkedIn users and haven’t used their accounts in some time.
LinkedIn did everything right. They notified users right away using DKIM, did not include any links in the notification, and addressed the user by name rather than the generic “Dear User” that is an instant tip off that the message is spam. Yet they still got punished by being reported as spammers. Since the messages are easily proven as legit and used DKIM it’s unlikely the company will find itself on any blacklists, but what of the accounts of those users who acted so foolishly and hastily? Should LinkedIn disable those accounts? Reset the passwords themselves? Or just let them be and let the account holders suffer any possible consequences? Leave a comment and let us know what you think!