LinkedIn faces lawsuit over security breach

Posted by Emma Woollacott

An Illinois woman is launching a class action lawsuit against LinkedIn over the recent security breach which saw millions of passwords stolen.

The company was forced to admit two weeks ago that as many as six million passwords had been pinched and leaked online; the figure was later raised to eight million.

And, says lead plaintiff Katie Szpyrka, the breach occurred because LinkedIn failed to encrypt personal information such as email addresses and passwords, and stored them in an outdated hashing function.

Published right back in 1005 by the National Security Agency, the unsalted SHA1 hashed format doesn't include 'salt', the assigning of random values to data before it's input.

"LinkedIn's failure to comply with long standing industry standard encryption protocols jeopardized its users' PII, and diminished the value of the services provided by defendant - as guaranteed by its own contractual terms," reads the complaint.

""LinkedIn failed to use a modern hashing and salting function, and therefore drastically exacerbated the consequences of a hacker by bypassing its outer layer of security. In so doing, defendant violated its privacy policy's promise to comply with industry standard protocols and technology for data security."

LinkedIn claims that there's no evidence that the breach resulted in any harm to any of its members. The company says that the passwords weren't published with their corresponding logins, and that the vast majority remained hashed.

It says it does now salt passwords, and is promising further security enhancements.