LinkedIn Password Breach: 9 Facts Key To Lawsuit

LinkedIns privacy policy promised users industry standard protocols and technology, but a class action lawsuit claims LinkedIn failed to deliver. Take a closer look at the security issues.

Did LinkedIn fail to follow industry standard information security practices? Thats the charge leveled against the business-oriented social networking site in a
class action lawsuit
filed last week in U.S. District Court.
Interestingly, the lawsuit doesnt reference any existing U.S. regulation or law that would have required LinkedIn to meet industry standards for security. Instead, the lawsuit points to LinkedIns
privacy policy
, which promises users that personal information you provide will be secured in accordance with industry standards and technology. Another part of that policy likewise promises to use industry standard protocols and technology.
With that in mind, here are nine facts related to LinkedIn and the question of industry standard security practices:
1. Breach Facts Remain Scarce
Heres whats known about the breach: hashes for 6.5 million LinkedIn users passwords were
uploaded to a hacking forum
earlier this month by a hacker who requested help with cracking the passwords. Interestingly, no easy passwords appeared to be part of the upload, and there were
no duplicates
, suggesting that the attacker had already cracked those and edited down the list of uploaded passwords.
In light of those facts, Tal Beery, the Web security research team leader at Impervas Application Defense Center, thinks that the number of breached accounts is
at least 10 million
.
[ Are legislators efforts to craft breach notification standards a waste of time? Read
Senators Float National Data Breach Law, Take Four
. ]
2. Dont Expect Class Action Lawsuit To Succeed
But did LinkedIns customers suffer damages due to the
data breach
? Furthermore, can consumers sue a private business based on its privacy policy--which is
policed by the Federal Trade Commission
--and questions of whether industry standard protocols were used? I think it might be a difficult legal case, said Sean Sullivan, security advisor at F-Secure Labs. In the court of public opinion? Its a different story.
3. Data Breaches Can Be Difficult To Detect
At this point, LinkedIn has yet to provide any details about how many accounts were affected, or how the attacker managed to grab a password database--or databases--containing information on millions of accounts. It appears that LinkedIn didnt know that it had been hacked until the passwords showed up on the password-cracking forum. Thats led to
charges that LinkedIns security practices
werent sufficiently robust. For comparisons sake, however, FBI officials have said that in the course of cybercrime investigations, they often turn up evidence that businesses have been breached, but remained unaware of that breach until
the bureau informed them
.
4. Standard Security Approaches Are Often Weak
Of course, what that suggests is that many businesses standard approaches to information security involve poor standards. Oftentimes lacking are specific processes for
avoiding and dealing with data breaches
, although a recent study did find that businesses in the United States are getting better at
handling breaches
.
5. No Business Is 100% Breach-Proof
Even with the most advanced security program, however, experts say that data breaches should always be treated as a when, not if proposition. If an adversary wants to get into your network, theyre going to do it--it doesnt matter how much technology you use. Eventually youre going to lose, said Jerry Johnson, CIO at Pacific Northwest National Laboratory, speaking via phone. Of course, the LinkedIn breach could also have been caused by a
trusted insider
, against which many security defenses simply wouldnt work.
6. Password Best Practice: Salt
Of the information currently available about the LinkedIn security breach, one notable fact is that the business didnt salt its passwords.
Salting password hashes
has been good practice for 20 years or more. LinkedIn wasnt salting its password hashes. As a result, in my opinion, LinkedIn failed to meet minimal standards that users would expect them to follow to secure their information, said Graham Cluley, senior technology consultant at Sophos, via email.
Of course, that doesnt mean that LinkedIn are the only ones who are failing to reach such a minimal standard. My expectation is that there are many other websites are out there making similar mistakes--but we just dont know about them, said Cluley. Notably, two password breaches that came to light the same week as the LinkedIn breach, involving
eHarmony and Last.fm
, likewise revealed that neither site had salted its passwords.
7. Security: Where To Find Standards
Failing to salt passwords suggests a more widespread lack of effective security practices, and there are a number of not just standard practices, but actual standards that all businesses should be pursuing. In particular, the OWASP top 10 are commonly seen as industry standard, and referred to in other standards like PCI, said Johannes Ullrich, chief research officer at SANS Institute, via email. For example, heres what the
OWASP top 10
section on insecure cryptographic storage has to say about passwords: Ensure passwords are hashed with a strong standard algorithm and an appropriate salt is used.
Ullrich also pointed to the common weakness enumeration (CWE) system, which is billed as a community-developed dictionary of software weakness types, and which specifically calls out the
use of a one-way hash without a salt
as one of the top 25 most dangerous software errors.
8. Security Involves More Than Hashing
When it comes to LinkedIn, however, take the related password discussion with, yes, a grain of salt. No salting is indeed a bad practice, but I think the whole hashing and salting discussion is missing the main point, said Impervas Beery. Its very natural to focus on it, as the only thing we know for a fact is that 6.5 million of LinkedIns hashed passwords were leaked. Its like having a bank robbery that was discovered by finding the bills in circulation, and [having] the press discussing whether and how the bills should be marked, while the real question is: How was the bank robbed in the first place?
Or as F-Secures Sullivan said, when it comes to LinkedIn, Id be curious to know how the internal production systems were secured.
9. LinkedIn: Security Facts Still Outstanding
In other words, a few password facts aside, very big questions about
LinkedIns security practices
have yet to be publicly detailed. Hashing and salting, much like bill marking, is a secondary measure of protection, Beery said. The main protection is supposed to keep the bad guys away from the data or the money.
So the real question here is, how the data was breached, he said. Did LinkedIn use industry standard protocols and technology with respect to breach protection? Did they pen test their app? Did they use a Web application firewall? Did the hackers use some super new 0 day attack, or did they use some very common Web application attacks such as SQL injection or remote file inclusion?
Until those questions get answered, expect discussions of LinkedIns security to remain largely academic.
Employees and their browsers might be the weak link in your security plan. The new, all-digital
Endpoint Insecurity
Dark Reading supplement shows how to strengthen them. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
LinkedIn Password Breach: 9 Facts Key To Lawsuit