LinkedIn Security Fail
One of the core tenets of web application security — though it probably applies elsewhere — is the concept of information leakage: the best line of defense is to not give the attacker anything to use against you.
Most of the time this is taken to mean things like not showing stack traces when an error occurs (PHP's default config, I'm looking at you).
That's not quite the whole story though: for example, if a user logs in incorrectly, don't tell the user which part of their authentication was incorrect! If a user knows that "admin" isn't a login, they stop attacking that and look elsewhere. Or vice-versa.
LinkedIn gets this half-right. If you forget your password, you're prompted to enter in the email address on file. Then, LinkedIn emails you a password reset link and displays the following:
If [email] is in our records, we will send a link to reset your password to that address. If you are having problems receiving this link, please contact Customer Service.
Damn right! If we happen to have that guy on record! But it fails on the other end:
Like I said, half-right.