LinkedIn has been served with a potential $5 million class-action lawsuit on behalf of all users that charges the company with failing to use “basic industry standard” security practices.
The suit ties that alleged failure to the massive June 6 leak that saw millions of LinkedIn passwords posted online and subsequently cracked within hours.
According to court documents, the plaintiff, Illinois resident Katie Szpyrka, has been a registered LinkedIn user since 2010 and a premium member since late 2010 – in other words, she was forking out money for LinkedIn’s services.
The suit, filed on Monday, seeks certification as a class-action lawsuit on behalf of all LinkedIn users.
The lawsuit charges LinkedIn with failing to meet its contractual obligations to protect users’ sensitive personally identifiable information (PII).
From the filing:
"LinkedIn digitally stores millions of users' PII in a large-scale commercial database on its servers, and promises through its Privacy Policy that it uses 'industry standard protocols and technology' to protect such PII."
"However, and despite its contractual obligation to use best practices in storing user data, LinkedIn failed to utilize basic industry standard encryption methods. In particular, LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed format."
A salt is a string that is added to your password before it is cryptographically hashed. This process ensures that password lists cannot be pre-computed based on dictionary attacks or similar techniques.
The problem is twofold, the suit continued. First, SHA-1 is outdated. It was first published by the National Security Agency in 1995.
On top of that, storing users’ passwords in hashed format without first salting them “runs afoul of conventional data protection methods, and poses significant risks to the integrity [of] users’ sensitive data,” as the suit states.
Salting is just the bare minimum level of protection LinkedIn should have used, the suit claims.
More common standard practice, it states, is to salt passwords before inputting them into a hash function, to then salt the resulting hash value, to run that hash value through a hashing function, and to store the final value on a separate, secure server, apart from any other user information.
By failing to use such practices, LinkedIn “drastically exacerbated the consequences of a hacker bypassing its outer layer of security,” the suit states, and thereby violated its Privacy Policy’s promise to comply with industry-standard protocols and technology for data security.
To make matters worse, LinkedIn was allegedly breached via SQL injection – one of the lowest-hanging fruits on the vulnerability tree. (To the best of my knowledge, LinkedIn has never confirmed how it was breached – but there have been widespread suggestions that it was via SQL injection).
In fact, the National Institute of Standards and Technology (NIST) provides basic network security checklists that enumerate ways to avoid getting hacked by SQL injection, the suit points out.
On top of that, SQL injection is No. 1 on the OWASP Top Ten list of the most critical web application security flaws.
In an email to IDG News Service, LinkedIn spokeswoman Erin O’Harra called the suit “without merit” and said the company would defend itself “vigorously.”
Computerworld quotes O’Harra’s email as continuing in this vein:
"No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured. Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation."
Is it just bravado on LinkedIn’s part?
The suit mentions previous litigation filed by the Federal Trade Commission against various corporations that claimed to secure their customers’ data while remaining vulnerable to SQL injection – notably, a 2003 complaint filed against the Guess? clothing company.
The suit sure does seem to have merit, given precedence and LinkedIn’s sorry security practices.
On top of adopting better security processes, I’d hazard a guess that LinkedIn has its work cut out for it when it comes to defending itself in court over this incident.
So if the suit is filed for all linked in users and they win the court case, how will the 5 million dollars get distributed…
You mean you didn't receive the e. mail, asking you to pay the award administration fee, by Western Union transfer??? (Check the spam box.)
There's a WikiHow for that! http://www.wikihow.com/Take-Part-in-a-Class-Actio…
If you really are interested, I'd contact the lawyer in the case. You can find that in the court documents (link is in the article).
The difficulties LinkedIn is facing point to a common fallacy in management relating to IT security. Most companies seem only interested in "World-Class Security Experts" when in reality, most of security is mundane things like making sure the default passwords are changed and that the SQL servers are patched.
If the suit is merritless…then why did I recieve an email directly from LinkedIn telling me they believed my account password was among others that was compromised and that I needed to change it? Litigation of course.
LinkedIn also had a strange way of having us create a new password as they said they deactivated the old one. -0- security to inp[ut the new password and to access to do that…I only needed to do this (their instructions):
1. Type www.linkedin.com/settings directly into your browser
2. Type in your email address and press Sign In, no password necessary
3. Follow the on-screen directions to reset your password
So unless they first hired a computer forensics lab to help them inspect the damage first making sure there wasn't compromise to the system any further than the passwords…
I wasn't using my account actively so I cancelled it instead because of the ease of creating a new password and the ease of access to do it…no special security code to enter…nothing…seemed like 3rd graders giving professionals 1rst grade advice… ; 0
This is a small factor but: Some IT teams feel if they know a majority of knowledge on something, they can do the bare minimum because they are trying to go against the law of averages ("well so many people like LinkedIn it won't get hacked!"). Why didn't they already do the security CORRECTLY? And its a website, not some other type of industry so theres no excuse. If you get attacked and have proper security in place, okay. But you have no ammunition to use in a debate if you say "Well we did have SOME security measures."
LinkedIn would have a major problem on security issues. Hopefully, no user will ever have to experience their accounts geting hacked.