LinkedIn Security Breach Triggers $5 Million Lawsuit

  /     /     /  
Publicated : 22/11/2024   Category : security


LinkedIn Security Breach Triggers $5 Million Lawsuit


Class action lawsuit alleges that social network failed to protect users data and didnt use industry standard protocols and technology.



LinkedIn is facing a $5 million class-action lawsuit over its information security practices, in response to an attacker who apparently obtained millions of the social network users passwords.
That breach came to light earlier this month, after a hacker
posted 8 million hashed passwords
to a password-cracking forum on the InsidePro website. While 6.5 million of those passwords appeared to be from LinkedIn, another 1.5 million were traced to dating website eHarmony.
The
complaint against LinkedIn
was filed Monday in U.S. District Court in the Northern District of California for plaintiff Katie Szpyrka, a Chicago-based associate at a real estate firm, by the law firm of Edelson McGuire. According to court documents, Szpyrka registered with LinkedIn in late 2010, and paid extra--lately, $26.95 per month--to upgrade to a premium LinkedIn account. Currently, however, her LinkedIn profile lists zero connections.
[ CloudFare breach shows that companies need to pay attention to how their security systems are locked down. Read
Attackers Turn Password Recovery Into Back Door
. ]
The lawsuit frames the case against LinkedIn as a question of whether the companys security practices were adequate to protect its customers personally identifiable information (PII), as the company had promised to do. Through its Privacy Policy, LinkedIn promises its users that all information that [they] provide [to LinkedIn] will be protected with industry standard protocols and technology, reads the lawsuit. In direct contradiction to this promise, LinkedIn failed to comply with basic industry standards by maintaining millions of users PII in its servers databases in a weak encryption format, and without implementing other crucial security measures.
The lawsuit suggests that LinkedIn employed a troubling lack of security measures evidenced by its reportedly being exploited via a
SQL injection attack
, as well as for
failing to salt its passwords
. Industry standards require at least the additional process of adding salt to a password before running it through a hashing function--a process whereby random values are combined with a password before the text is input into a hashing function. This procedure drastically increases the difficulty of deciphering the resulting encrypted password, read the lawsuit.
LinkedIn, which has been
defending its security practices and leadership
since the breach, Wednesday said that it was aware of the lawsuit. We have recently learned that a class action lawsuit has been filed against the company related to the theft of hashed LinkedIn member passwords that were published on an unauthorized website, said Darain Faraz, a communications manager at LinkedIn, via email.
Expect LinkedIn to fight the lawsuit. No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured, said Faraz. Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior.
What of the allegations leveled against LinkedIn in the class action lawsuit? You knew it was coming, reported legal news blog
LawyersandSettlements.com
about the LinkedIn lawsuit. Close to 6.5 million passwords get leaked and you know no ones gonna sit quietly and think alls well that ends well. Uh-uh.
Did LinkedIn put every information security process into place that it had promised users? According to the lawsuit, the fact that LinkedIn did not recognize its databases had been compromised until it was informed through public channels provides further evidence that the company didnt adhere to industry standards. But that point is open to debate. Notably, the FBI has said that its investigations often
find evidence that businesses have been breached
, and that the businesses are unaware until the bureau gives them a heads-up.
Security experts recommend not just salting passwords but also using a password algorithm to encrypt them rather than SHA1, which was the cryptographic algorithm employed by LinkedIn. But while thats what experts recommend, its far from standard practice. For example,
eHarmony and Last.fm
, which were breached by the same attacker that hit LinkedIn, likewise used SHA1 and no salt.
LinkedIn is far from the first company to be on the receiving end of a lawsuit over alleged deficiencies in its information security practices. In a high-profile case, Sony in April 2011 was
hit with a class action lawsuit
for a security breach that came to light that month, which
exposed personal information
for up to 77 million customers of Sonys PlayStation Network (PSN).
After that class action lawsuit, Sony in September 2011 crafted a novel legal response:
altering its PSN terms of service
to prohibit users from filing class-action lawsuits against the company,
The Register
reported. Any dispute resolution proceedings, whether in arbitration or court, will be conducted only on an individual basis and not in a class or representative action or as a named or unnamed member in a class, consolidated, representative or private attorney legal action, reads Sonys revised terms of service, to which all users had to agree before being allowed to use PSN.
More and more organizations are considering development of an in-house threat intelligence program, dedicating staff and other resources to deep inspection and correlation of network and application data and activity. In our
Threat Intelligence: What You Really Need to Know
report, we examine the drivers for implementing an in-house threat intelligence program, the issues around staffing and costs, and the tools necessary to do the job effectively. (Free registration required.)

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
LinkedIn Security Breach Triggers $5 Million Lawsuit