LinkedIn hit with $5 million class action suit

LinkedIn hit with $5 million class action suit

Summary: An Illinois woman files a class action suit against LinkedIn claiming that violation of its own privacy policies and user agreements allowed hackers to steal 6.46 million passwords.


Updated June 20, 2012 at 3:04 pm PST with comment from LinkedIn

An Illinois woman who claims LinkedIn violated its own user agreement and privacy policy is spearheading a class action lawsuit against the business-networking site in wake of the recent loss to hackers of private data.

Katie Szpyrka, a registered LinkedIn account holder since 2010, claims the company "failed to properly safeguard its users' digitally stored personally identifiable information including email addresses, passwords, and login credentials."

Szpyrka, who filed the suit in United State District Court in the Northern District of California, is demanding a jury trial on grounds including breach of contract and negligence.

She says the users in the class action group include individuals and entities in the United States who had a LinkedIn account on or before June 6, 2012, including those who paid for an upgraded account.

Two weeks ago, LinkedIn reported that Russian hackers had stolen nearly 6.5 million passwords. Users, who are prone to reuse passwords across different web sites, were urged to change their passwords. With more than 150 million users, the password theft involved less than 5% of LinkedIn's user base.

"No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured," said Erin O'Harra, a public relations associate with LinkedIn. "Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior."

In the suit, Szpyrka, who pays $26.95 per month for a premium LinkedIn account, says LinkedIn's privacy policy promises users that all the information they provide will be protected with industry standards and technology.

She says LinkedIn failed to comply with basic industry standards by using a weak encryption format. The company had encrypted passwords with a SHA-1 algorithm, but according to experts the fact the company neglected to "salt" the hash weakened the security.

The suit specifically points out that LinkedIn failed to salt the passwords before storing them. The salt adds a dimension to the hash that makes it more difficult to uncover the protected data.

The suit also references preliminary reports that said hackers used an SQL injection attack, which lets hackers access databases via a Web site.

SQL injection attacks have been one of the most common forms of attack dating back to 2007. The first attacks date back to 2005. The suit cites National Institute of Standards and Technology checklists as common guidance for avoiding SQL injection attacks.

The suit also faults LinkedIn for not publicizing the attack and says it only came to light after it was announced by third-parties. The suit claims the company later admitted it "was not handling user data in accordance with best practices."

The suit claims that damages are in excess of $5 million.

See also:

Topic: Social Enterprise


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I dunno about this...

    I can't tell if this is worse than LinkedIn spamming everyone in every users contact list.
  • And the loss to her was what?

    Although her account information may have been leaked, is she an "interested party" that can demonstrate actual harm?

    This sounds like another spurious lawsuit with no actual loss.
    Your Non Advocate
    • She paid $26.95/month

      For that it's reasonable to expect your information to be kept private as necessary.

      Keep in mind it's only $5 million for a class action. That's less than $1 for each account compromised. It probably means she doesn't expect to get much more for herself than the cost of the fees she's paid them. If I were the CEO at LinkedIn I would jump at the chance to make this go away for only $5 million.
      Michael Kelly
      • Dont be surprised

        If you see LI jump at that chance.
      • Can she demonstrate harm?

        OK. She paid $26.95/month. What did she lose?

        Courts follow the "no harm, no foul" principal when awarding damages. Throughout the nation, courts have ruled that customers must show actual harm and damanges in order to successfully sue a company over a data breach. Courts have repeatedlyfound that a loss of personal information , in and of itself, is not harm.

        This is a nuisance lawsuit.
        Your Non Advocate
      • If you pay someone to do something and they fail to do it

        that is breach of contract. And breach of contract, by legal definition, harm done. And courts have repeatedly found that if someone received money for a contract and breached that contract that some or all of the monies paid can be awarded back to the payee.
        Michael Kelly
      • Almost

        One element of a contract is remuneration. However, it is insufficient to claim that remuneration was made, therefore the account must be secure. She paid for a service and consumed that service.

        Again, where is the harm?
        Your Non Advocate
      • From the article

        "LinkedIn???s privacy policy promises users that all the information they provide will be protected with industry standards and technology."

        That can and will be construed by the courts as a part of their paid services. All the plaintiff has to do is testify that she would never have signed up for a paid account unless she was promised and reasonably expected to receive what was included in the privacy policy. Courts do not look kindly to companies that make fraudulent statements to woo paying customers.
        Michael Kelly
      • "Space Age Materials" = "Plastic"

        Linkedin can contend that they did use industry standards. Just like any company that sells a plastic product can state that they are using "Space Age Materials".
        Your Non Advocate
      • A breach of contract does not automatically equate to harm done.

        @Michael Kelly:

        [i]And breach of contract, by legal definition, harm done.[/i]

        There's a good example in the Wiki page for Breach of Contract.
      • Not at all.

        @Michael Kelly:

        [i]That can and will be construed by the courts as a part of their paid services.[/i]

        Because the privacy policy covers all accounts. Paid and free.
  • Waste of court's time, money hungry

    Like a previous post, "and she lost what?" The worst could happen is someone could hire her by mistake...the simple thing the rest of us have figured out is 'go change your passwrod'...duh!! If we were talkin her bank, eh, maybe...but LinkedIn? C'mon. Too much time on her hands.
    • talking about Oracle/Apple/Microsoft?

  • This involves much more than 5 %

    The passwords were unsalted, and only unique password-hashes included in the list. Check any comon password - it's there. So if 10.000 people chose "superman" as their password - they would only count as one of the 6,5 mill hashes published.

    Furthermore - afaik, Linkedin has not explained how the breach happened. If they still don't know, then it might happen again. And, they cannot know if more passwords were leaked, but only a part was published. I haven't done the math, but it's plain to see this is bigger than 6,5 %. I wish Linkedin could tell us - but they keep playing this down, saying other login-information was not published. What are the odds the hackers don't have this information?
    • Yes, MUCH more, and lightly salting may not be enough

      Analyzing 33,016,915 passwords in publicly released "stolen" password databases, only about a third were unique (36.8%), the other 63.2% were passwords used by multiple people / accounts. 8,366,706 where shared across 100 or more accounts! Here are the top 25 in the database I have:

      123456, 12345, 123456789, password, iloveyou, princess, 1234567, rockyou, 12345678, abc123, nicole, daniel, babygirl, monkey, lovely, jessica, 654321, michael, ashley, qwerty, 111111, iloveu, 000000, michelle, tigger

      Also, almost all salts are implemented poorly. If you place the salt on the web server, and it is compromised, it's the same as not having a salt at all (salting takes about 0.001 seconds more per password on my laptop). Better practice is to have the password hashes not readable by the web site at all. Have the web server hash the password (salted better than not), and ask the database, usually through a function if it's the right password. The DB then hashes the hash with it's own secret salt to which the web server does not have access, and compare it to the existing salted-hashed-salted-hashed password hash. Confused yet? That's part of the point, but it's neither rocket science nor that difficult to implement - used to take me an average of 2 hours on a well designed web service to implement this.

      Now if someone compromises your web server, which happens all the time, they have nothing -- at least as far as passwords. If they compromise your DB, which is of course on a different server behind a firewall and which therefore should never happen, they still have no passwords. Only if they compromise both do you have a problem. Not bullet proof, but compared to every single setup I have seen to date (and I've seen many) infinitely better.

      So when will companies start relying on people who know what they are doing to make sure they don't get flogged?
      Mr. Copro Encephalic to You
      • Finally!!!

  • Cite not site

    The suit cites National Institute of Standards and Technology checklists as common guidance for avoiding SQL injection attacks.
    • Cite not site

      thanks for the edit; fixed.
  • Make your dream come true

    my neighbor's mother made $16059 last week. she is working on the computer and got a $509600 home. All she did was get blessed and follow the information shown on this site
  • Planning for Security

    The article underscores the breach fallout that CIOs must factor in when cutting corners on security ??? but typically don???t. It???s not just fines as many believe, but class-action lawsuits such as this one, costs of forensics and remediation (unbudgeted consultants and technology investments), and brand damage including stock value hits for public companies. Encryption and password management best practices could have prevented the LinkedIn breach; hindsight is 20/20 ??? it???s time for CIOs to implement security up-front.