LinkedIn hit with $5 million class action suit

An Illinois woman files a class action suit against LinkedIn claiming that violation of its own privacy policies and user agreements allowed hackers to steal 6.46 million passwords.
Written by John Fontana, Contributor

Updated June 20, 2012 at 3:04 pm PST with comment from LinkedIn

An Illinois woman who claims LinkedIn violated its own user agreement and privacy policy is spearheading a class action lawsuit against the business-networking site in wake of the recent loss to hackers of private data.

Katie Szpyrka, a registered LinkedIn account holder since 2010, claims the company "failed to properly safeguard its users' digitally stored personally identifiable information including email addresses, passwords, and login credentials."

Szpyrka, who filed the suit in United State District Court in the Northern District of California, is demanding a jury trial on grounds including breach of contract and negligence.

She says the users in the class action group include individuals and entities in the United States who had a LinkedIn account on or before June 6, 2012, including those who paid for an upgraded account.

Two weeks ago, LinkedIn reported that Russian hackers had stolen nearly 6.5 million passwords. Users, who are prone to reuse passwords across different web sites, were urged to change their passwords. With more than 150 million users, the password theft involved less than 5% of LinkedIn's user base.

"No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured," said Erin O'Harra, a public relations associate with LinkedIn. "Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior."

In the suit, Szpyrka, who pays $26.95 per month for a premium LinkedIn account, says LinkedIn's privacy policy promises users that all the information they provide will be protected with industry standards and technology.

She says LinkedIn failed to comply with basic industry standards by using a weak encryption format. The company had encrypted passwords with a SHA-1 algorithm, but according to experts the fact the company neglected to "salt" the hash weakened the security.

The suit specifically points out that LinkedIn failed to salt the passwords before storing them. The salt adds a dimension to the hash that makes it more difficult to uncover the protected data.

The suit also references preliminary reports that said hackers used an SQL injection attack, which lets hackers access databases via a Web site.

SQL injection attacks have been one of the most common forms of attack dating back to 2007. The first attacks date back to 2005. The suit cites National Institute of Standards and Technology checklists as common guidance for avoiding SQL injection attacks.

The suit also faults LinkedIn for not publicizing the attack and says it only came to light after it was announced by third-parties. The suit claims the company later admitted it "was not handling user data in accordance with best practices."

The suit claims that damages are in excess of $5 million.

See also:

Editorial standards