How LinkedIn Protects Your Account
September 12, 2014
Given the recent news around high-profile account takeover attempts on other services, we thought it’d be useful to share the ways we work behind the scenes to keep your account secure and some of the quick steps you can take to improve the security of your LinkedIn account.
Security starts at login, so our systems proactively evaluate member login attempts for suspicious activity and to detect for potential intrusions. Many of these takeover attempts use automated tools to guess passwords, which our systems work to detect and then deploy roadblocks against. We also monitor key site metrics 24x7 looking for and mitigating attacks against our login system. We’ve also moved the majority of our member traffic to HTTPS which provides authentication of our site and protects against man-in-the-middle attacks.
We also compare username and password combinations we find on the Internet to our member’s credentials, and in the event we find matches, we promptly invalidate the password for the account and then notify the member to update their password.
Most account takeover attempts leverage these large sets of emails and passwords, though in some cases, hackers spend time researching specific targets and working to obtain account identifiers such as email addresses. To mitigate these types of attacks, we deploy automated defenses to prevent abuse of functionality that members use to connect such as address book import. We are building an opt out setting where members can choose to not have their email address discoverable to people they are not connected with through address book import. In the meantime, our support teams can answer questions about the visibility of your email address and manually opt you out.
You can also take three quick steps to make your account more secure. We encourage you to take five minutes today to do the following:
- Turn on two factor authentication (2FA)
- Regularly monitor your account activity
- Check your privacy settings