LinkedIn Security Breach Triggers $5 Million Lawsuit

June 20, 2012

Social networking site LinkedIn is facing a $5 million class-action lawsuit over its information security practices, in response to an attacker who apparently obtained 6.5 million users' passwords earlier this month, according to an article from Information Week.

The hacker posted the passwords, along with an additional 1.5 million from dating website eHarmony, on a password-cracking forum on the InsidePro website, the article says.

The complaint against LinkedIn was filed Monday in U.S. District Court in the Northern District of California for plaintiff Katie Szpyrka, a Chicago-based associate at a real estate firm, by the law firm of Edelson McGuire, Information Week reports.

The lawsuit frames the case against LinkedIn as a question of whether the company's security practices were adequate to protect its customers' personally identifiable information (PII), as the company had promised, the article says.

"Through its Privacy Policy, LinkedIn promises its users that 'all information that [they] provide [to LinkedIn] will be protected with industry standard protocols and technology,'" reads the lawsuit. "In direct contradiction to this promise, LinkedIn failed to comply with basic industry standards by maintaining millions of users' PII in its servers' databases in a weak encryption format, and without implementing other crucial security measures."

The lawsuit suggests that LinkedIn "employed a troubling lack of security measures" evidenced by its reportedly being exploited via a SQL injection attack, as well as for failing to salt its passwords. "Industry standards require at least the additional process of adding 'salt' to a password before running it through a hashing function—a process whereby random values are combined with a password before the text is input into a hashing function. This procedure drastically increases the difficulty of deciphering the resulting encrypted password," read the lawsuit.

LinkedIn has been defending its security practices and leadership since the breach, and the site is expected to fight the lawsuit.

According to Darain Faraz, a LinkedIn communications manager who corresponded with Information Week via email: "No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured. Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior."

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

Join our subject matter experts as they explore how the right systems can help identify, analyze and report potential incidents and help building owners sustain compliance and create safer spaces.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

LinkedIn Security Breach Triggers $5 Million Lawsuit

Related Articles

Related Products

Related Events

Report Abusive Comment