LinkedIn Facing Class Action Lawsuit Over Password Breach

A class action lawsuit has been launched against LinkedIn after over 6 million of the social network’s user passwords were stolen and posted online.

The suit is being led by plaintiff Katie Szpyrka, who has alleged LinkedIn failed to properly safeguard users’ personally identifiable information, violating its own user agreement and privacy policy by not using “long-standing industry standard protocols and technology.”

The court filing alleged LinkedIn was using “insufficient encryption methods to secure the user data”, meaning hackers could “easily” decipher a significant number of the passwords. It claimed early reports had indicated an SQL injection attack was used to acquire the passwords, which would again point to weak security practices at LinkedIn.

Salt with your passwords, sir?

The stolen LinkedIn passwords were stored as unsalted SHA-1 hashes, which offers some protection, but many in the security industry see the standard as an inherently insecure one.

Following the breach, LinkedIn announced “a long-planned transition” to a password database system that both hashes and salts the passwords, providing a double-layer of security.

LinkedIn refuted the claims in the court filing, claiming it was inspired by lawyers wanting to exploit the situation.

“We have recently learned that a class action lawsuit has been filed against the company related to the theft of hashed LinkedIn member passwords that were published on an unauthorised website,” a spokesperson told TechWeekEurope.

“No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured.

“Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior.”

Are you a security lover? Try our quiz!