Skip to main content

LinkedIn faces lawsuit over security breach

The recent LinkedIn password breach has resulted in a lawsuit that accuses the enterprise social network of failing to properly secure its users' data.

"LinkedIn violated its own User Agreement and Privacy Policy by failing to utilize long-standing industry and standard protocols and technology to protect" its members, according to the lawsuit, which was filed in California district court by Illinois resident Katie Szpyrka.

Szpyrka is looking to attain class-action status.

Earlier this month, LinkedIn confirmed that hackers gained access to some of the enterprise social network's passwords. Approximately six million of LinkedIn's 161 million users were affected, and LinkedIn reset the accounts of those who were compromised.

LinkedIn utilised a "weak encryption format," the suit said, which "failed to comply with basic industry standards." That would be an unsalted SHA 1 hashed format, which the suit said is "outdated." Storing data without salting the password first "runs afoul of conventional data protection methods," the suit said.

In a statement, LinkedIn said it was aware of the class-action suit, but stressed that "no member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured."

As a result, LinkedIn said it believes that the lawsuit is "driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior."

In a 9 June blog post, LinkedIn said one of its major initiatives has been to "transition from a password database system that hashed passwords, i.e. provided one layer of encoding, to a system that both hashed and salted the passwords, i.e. provided an extra layer of protection that is a widely recognized best practice within the industry."

LinkedIn said "that transition was completed prior to news of the password theft breaking."

Szpyrka joined LinkedIn in 2010 as a premium member and paid approximately $25 (£15) per month. The lawsuit did not specify whether her information was accessed in the breach.

The suit was first reported by Courthouse News.