LinkedIn Faces $5 Million Lawsuit After Password Breach
Modernizing Authentication — What It Takes to Transform Secure Access
LinkedIn is the target of a $5 million class-action suit that claims the social networking site s data security measures were ineffective, resulting in about 6.5 million user passwords being stolen by a hacker.
The lawsuit, filed in U.S. District Court in Northern California on behalf of Illinois resident Katie Szpyrka, claims that while LinkedIn says it protects personally identifiable information (PII) with industry-standard practices and protocol, it failed to follow through with basic steps. Specifically, the company, which has about 120 million users, used a technique called hashing to encrypt information, but failed to add a second layer called salting.
LinkedIn not only used an outdated hashing technique, but also, storing users passwords in hashed format without first salting the passwords runs afoul of conventional data protection methods, and poses significant risks to the users data, according to claims in the 23-page lawsuit, which was filed June 18.
LinkedIn used a hash-based encryption technique called SHA-1, which is considered by some experts as being safer than MD5, but still flawed, especially if not accompanied by salting.
Industry standards require at least the additional process of adding salt to a password before running it through a hashing function a process whereby random values are combined with a password before the text is input into a hashing function, the lawsuit claims. This procedure drastically increases the difficulty of deciphering the resulting encrypted password.
More common practice is to salt the passwords before inputting them into a hash function, then to salt the resulting hash value, and again run the hash value through a hashing function. Finally, that fully encrypted password is stored on a separate and secure server apart from all other user information.
LinkedIn's data security procedures fall well short of this level of security, the lawsuit claims.
The stolen information came to light June 6, when a hacker posted the hashed passwords to an online password cracking forum. According to security consulting firm KoreLogic, almost 80 percent the passwords have been encrypted, and users should expect that their passwords will be leaked. In statements and blog postings over the past two weeks, LinkedIn officials have said that they have not seen evidence that any users have been harmed by the breach, and assured users that they were improving the security of the information they hold, including using the salting technique to strengthen the hashed data.
"Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords," Vicente Silveira, a director at LinkedIn, said in a June 9 blog post. The only information published was the passwords themselves.
In response to the lawsuit, LinkedIn spokesperson Erin O'Harra told Reuters that there was no merit to the lawsuit, which was filed "by lawyers looking to take advantage of the situation. No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured."