LinkedIn wins dismissal of lawsuit over massive password breach
The court ruled that paying LinkedIn users were not promised better security than non-paying ones and are not entitled to damages
IDG News Service - Professional social networking service LinkedIn won the dismissal of a lawsuit seeking damages on behalf of premium users who had their log-in passwords exposed as a result of a security breach of the company's servers last year.
The data breach came to light at the beginning of June 2012, after hackers posted 6.5 million password hashes corresponding to LinkedIn accounts on an underground forum. More than 60% of those password hashes were later cracked by hackers.
The first complaint against LinkedIn was filed on Jun. 15, 2012, in the U.S. District Court for the Northern District of California by a Illinois resident and paid LinkedIn account owner named Katie Szpyrka.
An amended complaint was filed on Nov. 26, 2012 on behalf of Szpyrka and another premium LinkedIn user from Virginia named Khalilah Wright, as class representatives for all LinkedIn users who were affected by the breach. The lawsuit sought "injunctive and other equitable relief," as well as restitution and damages for the plaintiffs and members of the class.
"The problem with this practice is two-fold," the complaint said. "First, SHA-1 is an outdated hashing function, first published by the National Security Agency in 1995. Secondly, storing users' passwords in hashed format without first 'salting' the password runs afoul of conventional data protection methods, and poses significant risks to the integrity of users' sensitive data."
Password hashing is a form of one-way encryption. A password hash is an unique cryptographic representation of a plaintext password, but unlike ciphertext generated with a two-way encryption function, hashes are not meant to be decrypted. When users log in and input their password, the password is hashed on the fly and the resulting hash is matched against the one already stored in the database for that user.
Older hash functions like SHA-1 are fast and efficient, but are also vulnerable to brute force attacks. Because of this, it is common practice to append a unique and random string to each password before hashing it. This is known as 'salting' and makes password hash cracking much more difficult.
The complaint maintained that if Szpyrka and Wright had known that LinkedIn used substandard encryption they wouldn't have paid for premium LinkedIn accounts which cost between $19.95 and $99.95 per month depending on subscription type.
- How Network Connections Drive Web Application Performance Users around the globe, on all sorts of devices, expect Web applications to function as seamlessly as desktop applications. This paper discusses the...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- Leveraging Flash Storage to Accelerate Oracle Real Application Clusters Join this webinar to understand the latest solid-state storage trends, the specific applications driving solid-state storage deployments and the benefits of deploying the... All Web Apps White Papers | Webcasts