Linkedin sued by Member for Hacking Incident
Illinois resident Katie Szpyrka filed a $5 million class action lawsuit against LinkedIn in the US District Court in the Northern District of California on June 15, claiming the business-oriented social networking site violated its own user agreement and privacy policy.
The move comes in relation to a security breach around June 6 when LinkedIn admitted that encrypted passwords belonging to some 6.5 million of its 160 million users had been stolen and posted on the web.
The incident resulted in hackers posting users' information online but it is not yet clear how much data they obtained. Szpyrka, who pays a monthly fee of $26.95 for a premium LinkedIn account, says the networking site used an alarmingly weak encryption format whereby it failed to 'salt' the passwords before storing them.
The suit alleges that LinkedIn failed to adequately protect members because it stored passwords in an unsalted SHA hashed format, which Szpryka contends is an outdated hashing function first published in 1995 by the National Security Agency. By storing passwords in hashed format without first salting them runs afoul of conventional data protection methods and poses significant risks to the integrity of users' sensitive data, the suit says.
LinkedIn posted the following statement: "We have recently learned that a class action lawsuit has been filed against the company related to the theft of hashed LinkedIn member passwords that were published on an unauthorized website. No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured. Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior."
