How to Secure Your LinkedIn Account: Passwords, 2FA, and Privacy Settings

Why LinkedIn Is a Prime Target for Attackers

LinkedIn is unique among social networks in the value it offers to attackers. Your profile is a detailed dossier: your full name, current and past employers, job titles, location, education, colleagues, and often your professional contact information — all publicly accessible by default. This makes LinkedIn one of the most-harvested platforms for spear phishing, business email compromise (BEC), and social engineering attacks.

Attackers impersonating LinkedIn contacts or LinkedIn itself are common. Phishing messages that appear to come from a colleague or recruiter are particularly effective because the sender can verify personal details from your public profile to make the message seem legitimate. A compromised LinkedIn account gives an attacker your full contact list, your messaging history, and the ability to impersonate you to everyone you're connected with.

LinkedIn has also experienced significant data breaches. In 2021, scraped data from over 700 million LinkedIn profiles — roughly 92% of the user base at the time — was posted for sale online. If your account was active before 2021 and you haven't changed your password since, there's a meaningful chance your credentials are in circulation.

Set a Strong, Unique LinkedIn Password

The first and most important step is ensuring your LinkedIn password is both strong and unique — meaning it's not used on any other site or service. Credential stuffing attacks work by taking leaked username/password combinations from one breach and trying them automatically on other platforms. If your LinkedIn password is the same as your email, banking, or any other account, a breach of any one of them puts all of them at risk.

A strong LinkedIn password should be at least 16 characters, randomly generated, and contain a mix of uppercase, lowercase, numbers, and symbols. Use our free password generator to create one now — copy the result and store it in your password manager before you do anything else.

To change your LinkedIn password: click your profile photo → Settings & Privacy → Sign in & security → Change password. You'll be prompted to enter your current password and then set the new one. After changing it, any active sessions on other devices will be logged out automatically.

Enable Two-Factor Authentication (2FA)

Two-factor authentication is the single highest-impact security measure you can add to any account. With 2FA enabled, an attacker who obtains your password still cannot log in without the second factor — typically a time-based code from an authenticator app or a code sent by SMS.

LinkedIn supports two options for 2FA: authenticator app (recommended) and SMS. Use an authenticator app if possible — SMS-based 2FA, while better than nothing, is vulnerable to SIM swapping attacks where an attacker convinces your carrier to transfer your phone number to a SIM they control.

To enable LinkedIn 2FA: Settings & Privacy → Sign in & security → Two-step verification → Set up. Select "Authenticator app" and scan the QR code with your preferred app (Google Authenticator, Microsoft Authenticator, or Authy all work). Save the recovery codes LinkedIn provides — store them in your password manager. You'll need these if you lose access to your authenticator app.

After enabling 2FA, LinkedIn will show you a list of trusted devices that won't require the second factor on each login. Review this list and remove any devices you no longer use.

Review Active Sessions and Connected Apps

LinkedIn shows you all active sessions — devices currently logged into your account. If you see sessions from locations or devices you don't recognize, that's a red flag that your account may already be compromised.

To review sessions: Settings & Privacy → Sign in & security → Where you're signed in. You can end individual sessions or sign out of all devices from this page. Do this immediately after changing your password.

Also review connected third-party apps: Settings & Privacy → Data Privacy → Other applications. Any app that you've authorized to access your LinkedIn data appears here. Remove anything you don't recognize or no longer use. Each connected app is a potential attack surface — if that app is breached, the attacker inherits whatever LinkedIn permissions you granted it.

Lock Down Your Privacy Settings

LinkedIn's default privacy settings are designed for maximum visibility, which is appropriate for job searching but not for minimizing your attack surface. Here are the key settings to review:

Profile visibility: Settings & Privacy → Visibility → Profile viewing options. You can control whether people see your full name and headline, or just "LinkedIn Member," when you view their profiles. More importantly, under "Edit your public profile," you can control exactly which sections are visible to people who aren't logged in to LinkedIn — consider hiding your connections list, which is particularly valuable to attackers mapping your professional network.

Who can see your connections: Settings & Privacy → Visibility → Connections. Set this to "Only you" unless you have a specific reason to share your contact list. Your connections list is a roadmap for social engineering attacks against your colleagues.

Email address visibility: Settings & Privacy → Visibility → Who can see or download your email address. Restrict this to connections or only you to reduce harvesting of your professional email address for spam and phishing campaigns.

Activity broadcasts: Under Visibility settings, you can control whether your connections are notified when you make changes to your profile. Turning this off is a privacy preference rather than a security measure, but it reduces the information available about your current activity.

Recognize LinkedIn Phishing Attacks

LinkedIn-themed phishing is among the most common attack vectors in corporate environments. Attackers send emails or messages that mimic LinkedIn notifications — connection requests, profile views, job alerts — with links that lead to credential harvesting pages designed to look like LinkedIn's login screen.

Key things to check: Always verify the sender's email domain. Legitimate LinkedIn emails come from @linkedin.com or @e.linkedin.com. Hover over links before clicking — the destination URL should be linkedin.com, not a lookalike domain like linked-in.com, linkedln.com, or any URL with additional characters. If you're redirected to a login page after clicking a link, navigate directly to linkedin.com in a new tab and log in from there instead of using the linked page.

Also be skeptical of InMail messages from recruiters you haven't interacted with before, especially those asking you to open an external link or document. A common attack pattern is sending a "job description" as an attachment that is actually malware.

LinkedIn Security Checklist

Use this checklist to audit your LinkedIn security today:

☐ Password is unique and 16+ characters — not shared with any other account
☐ Password was changed after 2021 — pre-2021 credentials may be in breach databases
☐ Two-factor authentication enabled using an authenticator app, not SMS
☐ 2FA recovery codes saved in a password manager
☐ Active sessions reviewed — unrecognized sessions ended
☐ Connected third-party apps reviewed — unused apps removed
☐ Connections list set to "Only you"
☐ Email address visibility restricted
☐ Public profile reviewed — sensitive sections hidden from non-logged-in viewers
☐ Alert settings configured to notify you of unrecognized sign-ins

Recommended Tools

Keeping your LinkedIn password unique and secure is only practical with a password manager. We recommend NordPass for personal use — zero-knowledge architecture, cross-device sync, and a free tier that handles the basics. For teams or families who need to share credentials securely, 1Password includes shared vaults and Travel Mode for protecting sensitive accounts when crossing borders.

See our full security tools guide for more recommendations across password managers, VPNs, and identity protection services.