Best Practices10 min readMay 23, 2026

How to Secure Your LinkedIn Account: Passwords, 2FA, and Privacy Settings

LinkedIn is a goldmine for social engineering attacks — your career history, employer, colleagues, and contact info are all publicly available. A compromised LinkedIn account can damage your professional reputation and expose your network. This guide walks through exactly how to lock it down.

Why LinkedIn Is a Prime Target for Attackers

LinkedIn is unique among social networks in the value it offers to attackers. Your profile is a detailed dossier: your full name, current and past employers, job titles, location, education, colleagues, and often your professional contact information — all publicly accessible by default. This makes LinkedIn one of the most-harvested platforms for spear phishing, business email compromise (BEC), and social engineering attacks.

Attackers impersonating LinkedIn contacts or LinkedIn itself are common. Phishing messages that appear to come from a colleague or recruiter are particularly effective because the sender can verify personal details from your public profile to make the message seem legitimate. A compromised LinkedIn account gives an attacker your full contact list, your messaging history, and the ability to impersonate you to everyone you're connected with.

LinkedIn has also experienced significant data breaches. In 2021, scraped data from over 700 million LinkedIn profiles — roughly 92% of the user base at the time — was posted for sale online. If your account was active before 2021 and you haven't changed your password since, there's a meaningful chance your credentials are already in circulation among attackers.

Set a Strong, Unique LinkedIn Password

The first and most important step is ensuring your LinkedIn password is both strong and unique — meaning it's not used on any other site or service. Credential stuffing attacks work by taking leaked username/password combinations from one breach and trying them automatically on other platforms. If your LinkedIn password is the same as your email, banking, or any other account, a breach of any one of them puts all of them at risk.

A strong LinkedIn password should be at least 16 characters, randomly generated, and contain a mix of uppercase, lowercase, numbers, and symbols. Use our free password generator to create one now — copy the result and store it in your password manager before doing anything else. We recommend NordPass for personal use or 1Password for teams.

To change your LinkedIn password: click your profile photo → Settings & Privacy → Sign in & security → Change password. You'll be prompted to enter your current password and then set the new one. After changing it, any active sessions on other devices will be logged out automatically.

Enable Two-Factor Authentication (2FA)

Two-factor authentication is the single highest-impact security measure you can add to any account. With 2FA enabled, an attacker who obtains your password still cannot log in without the second factor — typically a time-based code from an authenticator app or a code sent by SMS.

LinkedIn supports two options for 2FA: authenticator app (recommended) and SMS. Use an authenticator app if possible — SMS-based 2FA, while better than nothing, is vulnerable to SIM swapping attacks where an attacker convinces your carrier to transfer your phone number to a SIM they control. Read our guide on SIM swapping protection to understand this risk.

To enable LinkedIn 2FA: Settings & Privacy → Sign in & security → Two-step verification → Set up. Select "Authenticator app" and scan the QR code with your preferred app (Google Authenticator, Microsoft Authenticator, or Authy all work). Save the recovery codes LinkedIn provides — store them in your password manager. You'll need these if you lose access to your authenticator app.

After enabling 2FA, LinkedIn will show you a list of trusted devices that won't require the second factor on each login. Review this list and remove any devices you no longer use or don't recognize.

Review Active Sessions and Connected Apps

LinkedIn shows you all active sessions — devices currently logged into your account. If you see sessions from locations or devices you don't recognize, that's a red flag that your account may already be compromised.

To review sessions: Settings & Privacy → Sign in & security → Where you're signed in. You can end individual sessions or sign out of all devices from this page. Do this immediately after changing your password.

Also review connected third-party apps: Settings & Privacy → Data Privacy → Other applications. Any app that you've authorized to access your LinkedIn data appears here. Remove anything you don't recognize or no longer use. Each connected app is a potential attack surface — if that app is breached, the attacker inherits whatever LinkedIn permissions you granted it.

Lock Down Your Privacy Settings

LinkedIn's default privacy settings are designed for maximum visibility, which is appropriate for job searching but not for minimizing your attack surface. Here are the key settings to review:

Profile visibility: Settings & Privacy → Visibility → Profile viewing options. Control whether people see your full name and headline, or just "LinkedIn Member," when you view their profiles. Under "Edit your public profile," control exactly which sections are visible to people not logged in to LinkedIn — consider hiding your connections list, which is particularly valuable to attackers mapping your professional network.

Who can see your connections: Settings & Privacy → Visibility → Connections. Set this to "Only you" unless you have a specific reason to share your contact list. Your connections list is a roadmap for social engineering attacks against your colleagues.

Email address visibility: Settings & Privacy → Visibility → Who can see or download your email address. Restrict this to connections only or "Only you" to reduce harvesting of your professional email address for spam and phishing campaigns.

Activity broadcasts: Under Visibility settings, control whether your connections are notified when you make profile changes. Turning this off reduces information leakage about your current job search or network-building activity.

Protect Yourself When Using LinkedIn on Public Wi-Fi

One underappreciated risk is accessing LinkedIn from coffee shops, airports, hotels, or other public Wi-Fi networks. Unsecured networks can allow attackers to intercept unencrypted traffic or execute man-in-the-middle attacks. Even though LinkedIn uses HTTPS, there are scenarios — especially on captive portal networks or networks with rogue access points — where your session data could be exposed.

The practical solution is to use a VPN whenever you're on public Wi-Fi. A VPN encrypts all traffic between your device and the internet, making it unreadable to anyone on the same network. NordVPN is a strong choice — it supports up to six simultaneous connections, includes a kill switch that cuts internet access if the VPN drops, and has servers in 60+ countries for reliable performance. If you regularly log into LinkedIn or access sensitive work accounts while traveling, a VPN is a non-negotiable safeguard. See our guide to using a VPN for privacy for a full setup walkthrough.

Recognize LinkedIn Phishing Attacks

LinkedIn-themed phishing is among the most common attack vectors in corporate environments. Attackers send emails or messages that mimic LinkedIn notifications — connection requests, profile views, job alerts — with links that lead to credential harvesting pages designed to look like LinkedIn's login screen.

Key things to check:

  • Sender domain: Legitimate LinkedIn emails come from @linkedin.com or @e.linkedin.com — not variations like @linkedin-security.com or @e.linked.in.com.
  • Hover before clicking: The destination URL should be linkedin.com. If you're redirected to a login page after clicking a link, navigate directly to linkedin.com in a new tab and log in there instead.
  • Suspicious InMail: Be skeptical of messages from recruiters you haven't interacted with that ask you to open an external link or download a document. A common attack sends a "job description" attachment that is actually malware.
  • Urgency signals: Phishing messages often create false urgency — "Your account will be suspended in 24 hours" or "You have a new message from a hiring manager." Real LinkedIn security alerts never ask you to enter credentials via a linked page.

For broader phishing awareness, our guide on how to spot and avoid phishing attacks covers these patterns across all platforms.

What to Do If Your LinkedIn Account Is Compromised

If you suspect your account has been taken over — you can't log in, your connections are receiving strange messages, or you see sessions from unfamiliar locations — act immediately:

  1. Go to linkedin.com/help or linkedin.com/checkpoint/lg/login-submit and use the "Forgot password?" flow to reset your password via email.
  2. If you're locked out entirely, use LinkedIn's account recovery form and submit a government-issued ID for verification.
  3. Once back in, immediately enable 2FA, review all connected apps and revoke unknown access, and end all active sessions except your current device.
  4. Notify your connections — if your account was sending spam or phishing messages, let your network know so they don't act on anything suspicious.
  5. Change your password on any site where you used the same LinkedIn credentials.

LinkedIn Security Checklist

Use this checklist to audit your LinkedIn security today:

  • Password is unique and 16+ characters — not shared with any other account, stored in NordPass or 1Password
  • Password was changed after 2021 — pre-2021 credentials may be in breach databases
  • Two-factor authentication enabled using an authenticator app, not SMS
  • 2FA recovery codes saved in your password manager
  • Active sessions reviewed — unrecognized sessions ended
  • Connected third-party apps reviewed — unused apps removed
  • Connections list set to "Only you"
  • Email address visibility restricted
  • Public profile reviewed — sensitive sections hidden from non-logged-in viewers
  • VPN in use when on public Wi-Fi — see NordVPN
  • Alert settings configured to notify you of unrecognized sign-ins

Recommended Tools

Keeping your LinkedIn password unique and secure is only practical with a password manager. We recommend NordPass for personal use — zero-knowledge architecture, cross-device sync, and a free tier that handles the basics. For teams or families who need to share credentials securely, 1Password includes shared vaults and Travel Mode for protecting sensitive accounts when crossing borders.

For protecting your connection when logging in on public networks, NordVPN encrypts all your traffic and prevents network-level snooping, making it a practical everyday addition if you work from coffee shops, airports, or shared office spaces.

See our full security tools guide for more recommendations across password managers, VPNs, and identity protection services. For broader social media security, check our guide on securing all your social media accounts.

Recommended next step

See recommended security tools

Use the generator for new credentials, then store them in a manager built for long-term password hygiene.

See recommended security tools

Keep Improving Your Account Security

#linkedin#social media security#2FA#account security#professional security

🔒 Generate a Strong Password Now

Use our free tool to create cryptographically secure passwords for all your accounts.

Try the Password Generator →
Best value

Simple, fast, and secure. Made by the team behind NordVPN.

Try NordPass
Most secure

Open-source password manager trusted by millions. Free forever.

Get Bitwarden Free