LinkedIn has been issued with a class-action lawsuit after millions of users’ passwords were stolen and published online.
The suit, brought by Illinois resident Katie Szprkya "individually and on behalf of all others similarly situated", alleges that LinkedIn failed to use "long-standing industry standard protocols and technology to protect [users’] personally identifiable information" – despite promising to do so in its privacy policy.
Specifically, it claims that LinkedIn stored passwords in "unsalted SHA1 hashed format".
"The problem with this practice is two-fold," it says. "First, SHA1 is an outdated hashing function, first published by the National Security Agency in 1995. Secondly, storing users’ passwords in hashed format without first ‘salting’ the password runs foul of conventional data protection methods, and poses significant risks to the integrity [of] users’ sensitive data".
Interesting Links
It notes that the site has since adopted an "extra layer of protection" in its password security management, including salted passwords, but says "these actions were too little too late".
Over 6 million passwords stolen from the social network were published online last month. "Because LinkedIn used insufficient methods to secure user data, hackers were able to easily decipher a large number of passwords", the suit claims.
It refers to "preliminary reports" that indicate that hackers stole the passwords using SQL injection. "It true, LinkedIn’s failure to adequately protect its website … would demonstrate the company employed a troubling lack of security measures."
Interestingly, the suit claims that the affected LinkedIn users have lost both money and property "in the form of their personal data". It adds that a number of users had paid for a premium service on the grounds that LinkedIn would safeguard their data, and have therefore lost out "economically".
Affected users have also been exposed "to a heightened risk of identity theft, … distress related to their unsecured data, as well as distress related to the security of their own personal accounts being exposed and accessed without authorisation".
The suit calls for LinkedIn to pay members of class-action "an amount to be determined at trial". However, it assumes the total figure to be over $5 million.
Interesting Links
LinkedIn has yet to comment on the lawsuit.
Since the LinkedIn breach emerged, passwords from online dating service eHarmony and music website LastFM have also been posted online.