December 14, 2010

how to handle an account security concern

Over the weekend, Gawker Media, home of sites like Engadget Gizmodo and LifeHacker, had its entire user credential database stolen and published to the Web. I had an account with LifeHacker for commenting there and while I didn't use that password at any other sites, I did use that login name, my email address, for quite a few other accounts. This isn't a post about how Gawker handled the situation (poorly, IMO) but rather a post about how LinkedIn handled the Gawker problem.

Because lots of people, myself included, share the same login name -- often an email address, across websites, and some people re-use passwords, LinkedIn took the precaution to temporarily disable the accounts of all LinkedIn users that had used the same login name from the disclosed Gawker list. They notified all of those users, myself included, that their accounts had been disabled and that they would need to take steps to re-enable them.

And here's where it gets awesome. LinkedIn is surely the target of myriad phishing scams, emails sent to their users claiming to be from LinkedIn but actually from bad guys trying to steal user credentials. So how did LinkedIn alert me without appearing to be a phishing scam. Here's how.

Dear Asa Dotzler,

In order to ensure that you continue to have the best experience using LinkedIn, we are constantly monitoring our site to make sure your account information is safe.

We have recently disabled your account for security reasons. To reset your password, follow these quick steps:

Go to the LinkedIn website
Click on "Sign In"
Click on "Forgot Password?" and follow the directions on the website

Thank you,
The LinkedIn Team

See what they did there? Or rather, what they didn't? They didn't provide any links. They didn't solicit any visits to special sites. They didn't ask me to put any trust into this email.

Email is just not trustworthy and so telling users to find their own way to LinkedIn and to go through a normal LinkedIn login process is absolutely the best way to handle this kind of request.

Kudos, LinkedIn. Thanks for making this safe and easy.

Posted by asa at 10:53 AM