Attention LinkedIn users: If you change your password on the site, there is an extra box you should check—or else you may still be at risk due to an overlooked flaw in the way LinkedIn handles password changes.
When changing passwords, LinkedIn doesn't log users out of all the places or devices they're logged in. There's an option to force all sessions to sign out, but it's not enabled by default.
If you change your password and don't click on that "Sign out of all sessions?" option, it's possible a hacker could still be logged into your account from somewhere, and will continue to have access to it.
"It's bad from the point of view that a user may think they have changed their password and are secure, but in fact their account is still logged in on another device," Brian Honan, a cybersecurity consultant, told Motherboard.
To make sure that's not the case, you can either go back and change your password again and, this time, make sure you click on the "Sign out of all sessions?" option. Alternatively, go to "Privacy & Settings" in your profile and then, under the "Account" tab, click on "Basics" and "Where You're Signed In" to see if there's something fishy. If you don't recognize a session listed there, you can force it to sign out.
David Enos, a penetration tester, warned about this flaw in a blog post last week, and said he reported the bug to LinkedIn in February. A LinkedIn spokesperson said that Enos' original complaint in February referred to a "a previous flow for password reset, which we updated when we introduced the new settings experience for all members in March."
This kind of bug isn't extremely rare. Last year, in the midst of a flurry of reports of hacked accounts all over the world, Uber fixed the same flaw after Motherboard alerted the company.
Last week, a database containing more than 100 million passwords from a LinkedIn breach in 2012 popped up for sale on the dark web.
On Monday, the company finally finished resetting the passwords of all users affected. If you are among those compromised and you haven't changed your password since the hack, you should've received an email from LinkedIn asking you to reset it. (If you received this email, according to LinkedIn, you've already been logged out of all sessions, so you're good.)
Given that the company realized that hackers had stolen the passwords of more than 100 million users (and possibly as many as 164 million) only last week, even though the original breach was reported in 2012, some see this as another security slip up for LinkedIn.
"It sounds like not only did they not build their systems in a way where they could tell that more than the original 6.5 million account credentials were stolen, but that they can't handle secure password resets or anti-phishing defenses, Jessy Irwin, a security researcher, told Motherboard. "That's pretty horrible given the importance of professional networks, where if you step too far out of line, it can damage your reputation."
However, Per Thorsheim, the founder of the Password conference, said that the way LinkedIn handles password changes isn't necessarily bad. The current design, he told me, takes into account the possibility that perhaps you just want to change your password, or have forgotten it, without logging out all your other sessions.
What they could do better, he said, is make more clear what "Sign out of all sessions?" actually means and its implications because regular users will likely "just leave it by default."
"Average people don't know what that means," Thorsheim told me in a call.
This story has been updated to include LinkedIn's response.