LinkedIn Sued For $5 Million For Failing To Protect Passwords During Breach

A LinkedIn user has filed suit against the business for $5 million, claiming the networking site failed its members by not doing enough to protect the 6.5 million passwords that were leaked in a recent hack attack.

The lawsuit seeks class action status, and was filed by an Illinois woman who says LinkedIn royally messed up when it came to safeguarding its users’ passwords. The suit claims the business social network failed its privacy policy, which says it will protect its 160 million users’ passwords with industry-standard protocols and technology.

The bone of contention picked by the lawsuit is that LinkedIn only protected passwords with a form of security called “hashes,” instead of also “salting” them, another kind of security, reports the Los Angeles Times.

“Industry standards require at least the additional process of adding ‘salt’ to a password before running it through a hashing function,” the lawsuit claims. “This procedure drastically increases the difficult of deciphering the resulting encrypted password.”

A LinkedIn spokeswoman says that none of its users’ accounts were breached as a result of the hack attack.

“Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation,” she said in an email statement. “We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior.”

After the attack, LinkedIn announced it would now be salting its users’ passwords.

LinkedIn sued for $5 million for security breach [Chicago Tribune]

Comments

Edit Your Comment

  1. IphtashuFitz says:

    > A LinkedIn spokeswoman says that none of its users’ accounts were breached as a result of the hack attack.

    And how would they know that? How do they know some guy in China hasn’t logged into my account just to see if the password worked so that they could then target other sites using my same email address & password combination? (Not that I use the same password anywhere else, but you can rest assured that a LOT of users do)

    • Costner says:

      They may perform IP checks… if someone has logged in from the same IP (or from a number of different IPs) and all of the sudden login requests are coming from China, it would be a red flag.

      They would also know if someone reported being locked out of their accounts etc. In truth, most of the time when we hear of password lists being “hacked” nothing ever comes of it.

    • who? says:

      The spokesman was probably being disingenuous. The attacker probably logged into a couple of accounts to see if they worked. However, what the attackers got was a list of usernames and hashed passwords. Even using the weaker unsalted hash, it would take time to decrypt the passwords. By the time a significant number were decrypted, LinkedIn had locked the accounts and forced users to reset their passwords.

      The damage to the linkedin site itself from an attack like this is pretty limited. Most accounts are not attached to credit cards, and if any credit cards were stolen, nobody has mentioned it. The problem is that people persist in using the same password on multiple websites. So once an attacker gets a list of passwords, they’ll try them on BofA, Citibank, etc, until they get a hit. Is that LinkedIn’s fault? Or is it the user’s fault, for reusing passwords?

      • FatLynn says:

        I think it’s both. The reason people reuse passwords so much is because every site requires a password, and they come up with ever-weirder requirements about length, special characters, and how often you have to change things. People simply can’t remember all that. It’s a mis-match between the industry standards and what a user can actually remember.

        I think there is an xkcd where they talk about how a password like “horsechocolatebigfeet” is better than one like “c7ali3!&^” in security, and easier to remember, but security “experts” keep pushing us toward the latter. Further, regularly changing a password does almost nothing to improve security.

        • WraithSama says:

          The xkcd comic mentioned the password “tr0ub4dor&3″ has about 28 bits of entropy (a computer making 1000 guesses/sec would take about 3 days to figure out) and is hard for the user to remember, but “correcthorsebatterystaple” has about 44 bits of entropy (same computer would take 550 years to figure out) and is easy to remember.

          Comic found here: http://xkcd.com/936/

          • FatLynn says:

            Thank you. That sums it up completely for me. I worked at a company that had us change passwords every six weeks to comply with HIPAA, so of course everyone had post-its with their passwords on their computers.

          • ScottG says:

            That xkcd is great. Related to that check out diceware passphrases: http://world.std.com/~reinhold/diceware.html You can generate some pretty strong, yet easy to remember phrases; and since they are just generic words you could somewhat safely write down the words – separately and inconspicuously and still keep it fairly secure (obviously writing the full username and passphrase on a post-it and putting it under your keyboard is probably not going to be very secure).

        • who? says:

          Yeah, I use that particular xkcd in a class I teach. Agree completely about the ridiculousness of the whole password thing. I have a locked bin in my office, and the only reason it needs to be locked is because I have a list of passwords for random things I have to log into. I’m the computer security person, so if I got caught looking on the post-it under my keyboard to get a password, I’d either be laughed at or fired, depending on who caught me.

          The problem is, though, that until we go to something besides passwords, the password reuse problem is always going to be there. At work, I have a piece of paper in a locked bin. For my personal stuff, I have keepass loaded onto a thumb drive.

  2. Costner says:

    Give me a break… $5,000,000? So how should users be compensated for a website they don’t even pay for?

    Let me guess… the person suing feels they were harmed to the tune of $100k, the lawyers who want it to be a class action will need $3.2M, and the remainder can be given to the 6.5M users who had their passwords stolen in the form of a coupon for future paid services.

    Jackpot Justice strikes again.

    • who? says:

      My reaction was that either 160M users were harmed in some substantial way, which means that $5M is way too low ($0.03 apiece?), or there wasn’t any significant harm, which means that $5M is way too high. But $5M seems to just be a number that someone picked out of thin air.

    • jrwn says:

      Not 100K, I’d settle for 50K

    • coffee100 says:

      The alternative of course being that websites can post blatant falsehoods in their privacy policies and print the personal details of every member on their front page with absolute impunity because well, what’s the real harm?

      Just another example of million-dollar executives up the fuck and never having to justify or explain themselves.

    • juniper says:

      Well, to be fair, there are many many users that DO pay for premium service on LinkedIn. It’s not cheap, either.

      • RvLeshrac says:

        When you say “Not cheap,” I think you’re being a little generous.

        LinkedIn’s prices are *INSANE*, unless you’re a marketer spamming people.

  3. Mit Long says:

    The absence of evidence indicating that accounts were breached does not necessarily mean that no accounts were breached.

    Logic!

  4. Lyn Torden says:

    BTW, the practice of salting passwords has been going on for at least 30 years. LinkedIn had plenty of opportunity to understand this practice.

    • nugatory says:

      I agree, but I don’t see it as a standard practice in the industry. I think it should be, but of all the companies I’ve consulted with, only really big companies do and not even all of them (Big > $1,000,000,000 revenue/year).

      • nishioka says:

        > I agree, but I don’t see it as a standard practice in the industry.

        That should be changed. That is why for all the hyperventilating people are doing about suing over a free service or about the amount of money involved or even who ends up getting the money, this will ultimately be a good thing.

        If a user can successfully extract 7 or 8 figures from a company for not being diligent enough about securing personal information, that will give other companies a reason to reflect on what they’re doing and make changes where changes are needed.

    • eyesack is the boss of the DEFAMATION ZONE says:

      Yep. It’s an industry standard. It’s not THE industry standard. There are probably thousands of vetted protocols and standards regarding authentication, so finding one standard that isn’t being used and treating it as the holy grail is BS.

      If you really want a scare, practically any website that has a short (under 12 characters) limit on password length is probably storing it as plain text. That seems to include a lot of banks, for some reason…

  5. axhandler1 says:

    “Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation.”

    I feel like this sentence could be applied to almost any situation that you can imagine. What a litigious society we have become, to the detriment of all.

  6. JGKojak says:

    There also has to be a deterrent effect. Its not just the harm to the reputation and image of LinkedIn. There should also be some punitive damages. How about $100 per password lost?

  7. ZenListener says:

    I don’t care, I just want my free money.

  8. Loias supports harsher punishments against corporations says:

    “A LinkedIn spokeswoman says that none of its users’ accounts were breached as a result of the hack attack.”

    I do not believe that the law follows the “no harm, no foul” layman policy. They weren’t following the law, whether or not actual damage occured.

    • longfeltwant says:

      Let me be the first to inform you that yes, in fact, “no harm no foul” is a foundational concept in tort law (civil lawsuits). To even have standing in court (“standing” means you are qualified to bring a suit), literally the first thing you must demonstrate is “INJURY”. No injury, no lawsuit; no harm, no foul.

      Learn more:

      http://en.wikipedia.org/wiki/Standing_(law)#United_States

      That said, “injury” can be widely interpreted. Plus, injury is not required for criminal law, nor for things like fines. The government can fine you for simply breaking a law. Still, in order to succeed in a lawsuit, you have to show a plausible injury.

  9. dolemite says:

    What makes LinkedIn any more special than Sony, Steam or anyone else that has had security breaches and lost passwords? Because it is “professional”? I think if this goes through, everyone that has lost passwords should be able to sue every company that has lost their info.

    • Loias supports harsher punishments against corporations says:

      Because LinkIn didn’t even USE industry-standard security policies.

      Just because a company is hacked doesn’t make it lawsuit-worthy. The fact they got hacked using unacceptable business practices is why it is lawsuit-worthy.

      • who? says:

        In computer security, there’s little that passes for industry standards in a situation like this. There are standards for protecting credit card info, but since apparently no credit card info was leaked, it’s doubtful that those standards apply here. The banking, health care, and government all have legal compliance requirements that don’t really apply here, but the sad little secret is that there isn’t really much in the way of “industry standards” for website security. There are some best practices, but only a small number of companies actually follow those best practices in any sort of coherent and complete way, so I’m not sure they could really be called “standard”. I agree that LinkedIn screwed up and should have been doing a better job, but I doubt that they were doing anything worse than Sony or Steam. I can guarantee that, given the type and magnitude of the Sony and Steam breaches, that there was some best practice that those companies weren’t following.

  10. Blueskylaw says:

    “LinkedIn Sued For $5 Million For Failing To Protect Passwords During Breach”

    In related news, a LinkedIn user claims that his profile was deleted as retaliation for filing the lawsuit. LinkedIn is investigating and promises to take it “seriously”.

  11. Rick Sphinx says:

    I doubt she can get anything, unless she has real dollar damages. It would be different if it was an Amazon.com account, and someone hacked into it, made purchases etc, and Amazon didn’t make her whole again, by refunding her money.

  12. ThinkingBrian says:

    I’ve had a LinkedIn account for a few years now, but even before the recent password/hack problem, I have been wondering if I should keep the LinkedIn account or simply delete it. I don’t find much in the line of value by using it despite the fact that I’m unemployed. And yes I was told to change my password just like many.

  13. humphrmi says:

    I think a lot more has been made about this than warranted. I do fault LinkedIn for lax security measures allowing the passwords to be captured. However if I understand the situation correctly, it was only the passwords, not the user IDs that were compromised. While that in and of itself is bad, it’s not “account compromised” bad… someone would still have to spend a LOT of time correlating the users with passwords, and if everyone changed their password after the leak, that would be impossible.

    Again, bad? Yes. Recoverable, without any loss? Yes.

  14. longfeltwant says:

    When you store personal information, you have a responsibility to store it securely. LinkedIn failed in their duty and should be held liable for damages.

    But, if there are no real damages, then none should be assessed.

    “Salting” is, in fact, an absolutely basic first-line-of-defense security measure. To fail to salt is an incredibly boneheaded oversight, one which rises to the level of negligence.

  15. gman863 says:

    I got talked into joining LinkedIn a few months ago for my small business.

    Even though some claim it’s a great way to do business networking, the more I see the more I get creeped out.

    God help you if you post any type of telephone number: It’s a red flag yelling ‘TELEMARKET ME”. Even though I’ve pulled my phone number off my profile, I’m still getting calls from shady sounding “business consultants” telling me about how (for a fee, of course) they can get me tens of thousands of bucks in “free” government money.

    It also appears they can automatically harvest saved e-mail addresses in my att.net e-mail account. This is the only possible way they would have known who my landlord/leasing agent is before suggesting I send them an invitation to join my friends list.

  16. matlock expressway says:

    Two passwords walk down a dark alley.

    One was a salted.

  17. JJFIII says:

    Here is the problem with this lawsuit. She is filing this as a breach of contract case. She must show two things, they breached, AND the associated damages caused by the breach. Her first hurdle will be to prove that the ONLY industry standard is salting. If every company other than LinkedIn uses salting, she has a case. My understanding is, not every company out there does this. Her second hurdle will be to prove damages. Let’s say this was not online. A person picks the lock on your door. He does not enter your home. Nothing is stolen. No third party enters your home and takes anything. You can say he picked your lock, but if nothing is stolen, and you have no financial loss, you are shit out of luck when it comes to damages.

    Finally, I am pretty sure there is no agency forcing you to join their site. The fact that she might use the same password in other places is really something SHE needs to deal with, not LinkedIn. In fact, “industry standards” say that people should not use the same password for all their accounts.