As expected for a security breach of this magnitude, a class action lawsuit has begun against LinkedIn regarding its recently leaked passwords. The action, which has been filed with the U.S. District Court in Northern California, claims LinkedIn failed to “properly safeguard its users’ digitally stored personally identifiable information, including e-mail addresses, passwords, and login credentials”
The plaintiff in the e-filed court document is Katie Szpyrka, a senior associate at a Chicago real estate firm. She has been a LinkedIn member since 2010, and also paid for an upgraded premium account. She claims that LinkedIn failed to adequately protect users with “basic industry standard encryption methods.” By this, the plaintiff means LinkedIn should have been salting its password hashes. These claims are made in light of LinkedIn’s privacy policy, which states that “All information that you provide will be protected with industry standard protocols and technology.”
While salting and re-hashing passwords certainly is a good security practice, it will be interesting to see if the plaintiff’s lawyers can manage to demonstrate that it is an industry standard. The fact that both eHarmony and Last.fm were also included in the password leak would seem to be evidence that salting passwords before hashing is not “standard,” even if it should be.
One interesting claim made in the lawsuit is that the password hash was originally stolen from LinkedIn by a hacker using an SQL injection attack. LinkedIn has never officially stated how the passwords were originally leaked. If LinkedIn did leave itself open to SQL injection, it might be a factor more likely way to prove that LinkedIn did not live up to its policy standards, and therefore was in breach of contract. Still, LinkedIn maintains that no unauthorized access resulted from the leak, meaning that an award for damages seems unlikely. The lawsuit, though, also asks for an injunction against LinkedIn, forcing it to better protect its members’ private data.
The court document can be read as a PDF on the Courthouse News website. The entire debacle started on June 6, when it was discovered that over 6.4 million LinkedIn passwords were leaked to a hash cracking website. LinkedIn responded that same day by deactivating member accounts associated with the leaked passwords and emailing members with information on how to reset their passwords. In the following week it was revealed that some of the leaked passwords also belonged to Last.fm and eHarmony.
(via Courthouse News)