LinkedIn slapped with $5M lawsuit over security breach

LinkedIn under fire for security breach
LinkedIn under fire for security breach

LinkedIn has been slapped with a $5 million lawsuit in the wake of the mass password theft it suffered earlier this month.

The class action suit was filed by Katie Szpyrka in the United States District Court of California's Northern District, seeking damages for negligence and breach of contract.

One of the key points in the case is LinkedIn's failure to "salt" password hashes before storing them on its servers and in using the "outdated" SHA-1 hashing function for security.

Salting is a process that adds an extra layer of encryption to hashed data, and is particularly useful in helping to prevent against common hacking methods such as a dictionary attack.

Another point of contention in the case comes from preliminary reports that the 6.5 million passwords were stolen from LinkedIn through an SQL injection attack.

Such an attack exploits security vulnerabilities in a website, which would mean that LinkedIn was not taking sufficient security precautions.

That argument has been successfully used in cases before, with the lawsuit specifically referencing a 2003 complaint against the "Guess?" clothing brand.

However, there is no confirmation yet that an SQL injection attack was used, which could render it a moot point.

LinkedIn fires back

In an update last week, LinkedIn claimed that there have been no reports of members whose accounts were breached from the stolen passwords.

A LinkedIn representative reiterated that point in recent comments responding to the lawsuit.

"No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured," a LinkedIn representative told ZDNet.

"Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior."

Quite frankly, the most surprising part of the case is that it took a full two weeks before the first class action lawsuit materialized.