Ask HN: LinkedIn made me reset my password (my email was in the Gawker dump)

23 points by adelevie ↗ HN
I suspect LinkedIn is checking email addresses against the hacked Gawker data and forcing any matching accounts to reset their password. Here's an except of the email they sent me:

  In order to ensure that you continue to have the best experience using 
  LinkedIn, we are constantly monitoring our site to make sure your account information is safe.

  We have recently disabled your account for security reasons.
Is this happening to anyone else? for other sites?

23 comments

[ 3.5 ms ] story [ 51.6 ms ] thread
Kudos to linkedin if that's what they are doing.

Proactive security response.

Maybe it's a phishing attempt? Be careful!
I don't think they are sending links inside the email. They just disable your account, let you know about it and when you try to login next time they will reset your password.
Yes - no link in the email.

---

In order to ensure that you continue to have the best experience using LinkedIn, we are constantly monitoring our site to make sure your account information is safe.

We have recently disabled your account for security reasons. To reset your password, follow these quick steps:

Go to the LinkedIn website Click on "Sign In" Click on "Forgot Password?" and follow the directions on the website

Nice, hopefully more sites will do this.
Happened to me too. I'm glad it was a proactive measure and not some script kiddy trying to access my account.
I appreciated that. I also appreciated them being vague about the reasoning. No need to call Gawker out.

Fortunately I wasn't emailed by hint.io. I know they meant well, but it feels shady, considering they headed off other people working to accomplish similar goals (presumably without sending from their startup's domain)[1]

http://news.ycombinator.com/item?id=1999410

Oh, actually I was emailed by hint.io, it was just marked spam by gmail. Sweet.
That's fine if that's their reasoning, but I got 4 or 5 emails to the same effect. None of which really explained WHY I was being prompted so many times, so I dismissed them all as spam/phishing.
Makes me feel better. I was "pretty sure" that i had only used Twitter OAuth to comment, and have been unable to confirm that. I haven't received an email from hint.io or a reset from LinkedIn so a little safer.
Me too. So far today I've been locked out of GMail, LinkedIn and Twitter. I thought it might be due to failed login attempts with a bad password, but it sounds like it's all just proactive lockouts based on being in the file.
I also got this email. I suspected it due to the Gawker incident, although I wasn't sure. I wish they had been a little bit more specific.

I also got the email from hint.io, but it was marked as spam by GMail.

I was really glad when I found out about the incident that I used a throwaway password that wasn't the same as my GMail. I've been keeping track of more of my passwords with KeepassX, although I still use the same somewhat secure password on sites where it doesn't matter.

As a side note: I'm trying to brute force/crack my hash to test how secure my password is. I'm using John the Ripper with the command line:

  john -session:testing -incremental test.txt
So far, I'm 17 hours in at about 600000 c/s and it still hasn't been cracked, so I feel somewhat secure about it, although I realize DES is considered insecure.
I noticed I was locked out of Twitter today too
Yes. This happened to me too. And my e-mail was in the Gawker dump too. In fact I changed passwords of all my online accounts and completely forgot about LinkedIn. But I appreciate them doing this.
And the "LinkedIn website" link was not like that?

hxxp://www.linkedin.com.qwe0923fffuuu.biz/ or similar?

If I was a phisher, I would have sent such things to all leaked emails...

My email wasn't in the Gawker dump and yet both my LinkedIn accounts got emails telling me to reset the password
I got the following email from Blizzard as well as the one you mentioned from LinkedIn:

Greetings!

We’ve recently been informed that several Gawker Media websites have been compromised. These websites include Gawker, Gizmodo, Kotaku, Lifehacker, Jezebel, io9, Jalopnik, Deadspin, and Fleshbot. To help minimize the effects of this compromise and help keep your Battle.net account safe and secure, we’ve reset your account password. To complete the password reset, please log into Battle.net Account Management (https://us.battle.net/account/management) and follow the provided instructions.

If you are a registered commenter for any of these sites and used your Battle.net email address to sign up with Gawker Media, we also recommend that you update your Battle.net address as soon as possible via Account Management. If you are unable to complete this step or the password reset on your own and believe your account may be compromised, please contact our customer support staff by using the Account Recovery form (https://us.battle.net/account/support/account-recovery.html) and be sure to check out our Account Security Awareness guide (http://us.battle.net/en/security/) for additional security tips and suggestions.

For more information about this situation, please visit Gawker Media’s official announcement (http://gawker.com/5713056/gawker-security-breach-were-here-t...) or Lifehacker’s comprehensive FAQ (http://lifehacker.com/5712785/faq-compromised-commenting-acc...).

Regards, Blizzard Entertainment

So I give kudos to linkedin for being proactive, but I actually do create a different password for every site (stored in Password Safe/LastPass), so I'm not looking forward to having to change all my passwords for no reason.

But yeah, I'm sure for the majority of users this makes sense.

(comment deleted)
I had the same email from linked in this morning but became suspicious because yesterday, I was locked out of both my gmail and twitter accounts. Guess I'll be staying tuned.