LinkedIn Security Breach Triggers $5 Million Lawsuit

LinkedIn is facing a $5 million class-action lawsuit over its information security practices, in response to an attacker who apparently obtained millions of the social network users' passwords.

That breach came to light earlier this month, after a hacker posted 8 million hashed passwords to a password-cracking forum on the InsidePro website. While 6.5 million of those passwords appeared to be from LinkedIn, another 1.5 million were traced to dating website eHarmony.

The complaint against LinkedIn was filed Monday in U.S. District Court in the Northern District of California for plaintiff Katie Szpyrka, a Chicago-based associate at a real estate firm, by the law firm of Edelson McGuire. According to court documents, Szpyrka registered with LinkedIn in late 2010, and paid extra--lately, $26.95 per month--to upgrade to a "premium" LinkedIn account. Currently, however, her LinkedIn profile lists zero connections.

[ CloudFare breach shows that companies need to pay attention to how their security systems are locked down. Read Attackers Turn Password Recovery Into Back Door. ]

The lawsuit frames the case against LinkedIn as a question of whether the company's security practices were adequate to protect its customers' personally identifiable information (PII), as the company had promised to do. "Through its Privacy Policy, LinkedIn promises its users that 'all information that [they] provide [to LinkedIn] will be protected with industry standard protocols and technology,'" reads the lawsuit. "In direct contradiction to this promise, LinkedIn failed to comply with basic industry standards by maintaining millions of users' PII in its servers' databases in a weak encryption format, and without implementing other crucial security measures."

The lawsuit suggests that LinkedIn "employed a troubling lack of security measures" evidenced by its reportedly being exploited via a SQL injection attack, as well as for failing to salt its passwords. "Industry standards require at least the additional process of adding 'salt' to a password before running it through a hashing function--a process whereby random values are combined with a password before the text is input into a hashing function. This procedure drastically increases the difficulty of deciphering the resulting encrypted password," read the lawsuit.

LinkedIn, which has been defending its security practices and leadership since the breach, Wednesday said that it was aware of the lawsuit. "We have recently learned that a class action lawsuit has been filed against the company related to the theft of hashed LinkedIn member passwords that were published on an unauthorized website," said Darain Faraz, a communications manager at LinkedIn, via email.

Expect LinkedIn to fight the lawsuit. "No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured," said Faraz. "Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior."

What of the allegations leveled against LinkedIn in the class action lawsuit? "You knew it was coming," reported legal news blog LawyersandSettlements.com about the LinkedIn lawsuit. "Close to 6.5 million passwords get leaked and you know no one's gonna sit quietly and think 'all's well that end's well.' Uh-uh."

Did LinkedIn put every information security process into place that it had promised users? According to the lawsuit, the fact "that LinkedIn did not recognize its databases had been compromised until it was informed through public channels provides further evidence that the company didn't adhere to industry standards." But that point is open to debate. Notably, the FBI has said that its investigations often find evidence that businesses have been breached, and that the businesses are unaware until the bureau gives them a heads-up.

Security experts recommend not just salting passwords but also using a password algorithm to encrypt them rather than SHA1, which was the cryptographic algorithm employed by LinkedIn. But while that's what experts recommend, it's far from standard practice. For example, eHarmony and Last.fm, which were breached by the same attacker that hit LinkedIn, likewise used SHA1 and no salt.

LinkedIn is far from the first company to be on the receiving end of a lawsuit over alleged deficiencies in its information security practices. In a high-profile case, Sony in April 2011 was hit with a class action lawsuit for a security breach that came to light that month, which exposed personal information for up to 77 million customers of Sony's PlayStation Network (PSN).

After that class action lawsuit, Sony in September 2011 crafted a novel legal response: altering its PSN terms of service to prohibit users from filing class-action lawsuits against the company, The Register reported. "Any dispute resolution proceedings, whether in arbitration or court, will be conducted only on an individual basis and not in a class or representative action or as a named or unnamed member in a class, consolidated, representative or private attorney legal action," reads Sony's revised terms of service, to which all users had to agree before being allowed to use PSN.

More and more organizations are considering development of an in-house threat intelligence program, dedicating staff and other resources to deep inspection and correlation of network and application data and activity. In our Threat Intelligence: What You Really Need to Know report, we examine the drivers for implementing an in-house threat intelligence program, the issues around staffing and costs, and the tools necessary to do the job effectively. (Free registration required.)