Oh, the irony. LinkedIn, the social network for professionals, is notorious for sending an endless barrage of spammy emails that no one wants to receive. But when it comes to telling users something useful—for instance, that one’s password has been compromised—LinkedIn (LNKD) has stayed silent.
I found this out the hard way when I tried a new service informing users if their email was among the millions hacked in a massive 2012 LinkedIn data breach.
The service is offered website called “Have I been pwned” (geek-speak for “owned” or “overcome”). The website lets you enter your email to find out if its among those stolen in various data breaches. As of Monday, as Motherboard reports, the site now includes victims of the LinkedIn hack. I entered my email, and this is what I saw:
So that’s what you should do immediately if you use LinkedIn: use the site to check if your email was stolen and, if so, change your password immediately.
I’m not the only one, by the way, who didn’t receive a warning from LinkedIn. A work colleague, whose account was likewise compromised, also can’t recall getting a notification from the company. More broadly, the issue is back in the news since reports last week revealed that the 2012 breach was much, much bigger than originally reported.
Get Data Sheet, Fortune’s technology newsletter.
So how serious is this? On the one hand, it’s not that big a deal because many of us had already changed our passwords in response to news of the initial breach. But on the other hand, it’s likely millions have not done so, which means they’re still exposed. (It doesn’t help that many people chose woefully weak passwords; a report last week showed the second most popular password was “linkedin”).
Likewise, even if you’ve changed your LinkedIn account, the data breach is still a problem because many people use the same password in multiple places. As Troy Hunt, who runs “Have I got pwned” reports, some hackers obtain old password and email combinations stolen from one website in order to try and break into user accounts at other websites.
In response to email questions about how and when the company will notify customers about the breach, a LinkedIn spokesperson replied:
“We’ve finished our process of invalidating all accounts we believed were at risk. These were accounts that had not reset their passwords since the 2012 breach. We’ll soon be sending more information to all members that could have been affected, even if they updated their password four years ago.”
To be fair to the company, as Hunt points out, the whole mess, including the weak security protocols that led to the breach, is not the fault of the company’s current CEO.
At the same time, though, LinkedIn users deserve a plain English explanation from the company about what is going on and if they are still at risk. But if the past is any indication, all they’re likely to get is another torrent of inane emails about long-ago acquaintances wanting to connect.
Update: On Wednesday, many LinkedIn users received an email explaining the security breach.
This story was updated at 12:45 ET to include LinkedIn’s response. It also amended the definition of “pwned.”
