LinkedIn wins dismissal of lawsuit over massive password breach
The court ruled that paying LinkedIn users were not promised better security than non-paying ones and are not entitled to damages
IDG News Service - Professional social networking service LinkedIn won the dismissal of a lawsuit seeking damages on behalf of premium users who had their log-in passwords exposed as a result of a security breach of the company's servers last year.
The data breach came to light at the beginning of June 2012, after hackers posted 6.5 million password hashes corresponding to LinkedIn accounts on an underground forum. More than 60% of those password hashes were later cracked by hackers.
The first complaint against LinkedIn was filed on Jun. 15, 2012, in the U.S. District Court for the Northern District of California by a Illinois resident and paid LinkedIn account owner named Katie Szpyrka.
An amended complaint was filed on Nov. 26, 2012 on behalf of Szpyrka and another premium LinkedIn user from Virginia named Khalilah Wright, as class representatives for all LinkedIn users who were affected by the breach. The lawsuit sought "injunctive and other equitable relief," as well as restitution and damages for the plaintiffs and members of the class.
"The problem with this practice is two-fold," the complaint said. "First, SHA-1 is an outdated hashing function, first published by the National Security Agency in 1995. Secondly, storing users' passwords in hashed format without first 'salting' the password runs afoul of conventional data protection methods, and poses significant risks to the integrity of users' sensitive data."
Password hashing is a form of one-way encryption. A password hash is an unique cryptographic representation of a plaintext password, but unlike ciphertext generated with a two-way encryption function, hashes are not meant to be decrypted. When users log in and input their password, the password is hashed on the fly and the resulting hash is matched against the one already stored in the database for that user.
Older hash functions like SHA-1 are fast and efficient, but are also vulnerable to brute force attacks. Because of this, it is common practice to append a unique and random string to each password before hashing it. This is known as 'salting' and makes password hash cracking much more difficult.
The complaint maintained that if Szpyrka and Wright had known that LinkedIn used substandard encryption they wouldn't have paid for premium LinkedIn accounts which cost between $19.95 and $99.95 per month depending on subscription type.
- Six Ways Your Small Business Can Save with Internet Phone Service Traditional phone systems present two main problems for businesses: limited features and high costs. As a result, small businesses are migrating to Internet...
- Face Time Anytime Real-time communications facilitates team collaboration from nearly anywhere in the world. With facts and figures you can use to justify an investment
- Now is the time to implement a video conference solution Video conferencing is getting a lot of buzz lately due to the recent cost decrease, making it tangible for many law firms. It's...
- Video drives engagement Achieving maximum results means building a solid platform and network infrastructure. As digital age unfolds, it's clear that the ability to communicate effectively...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Web Apps White Papers | Webcasts