If you haven’t heard already, LinkedIn was recently hacked leading to a massive data breach. This break in security has also led to a potential class-action lawsuit against the site alleging that it failed to meet “industry standard” security practices in connection with the breach.
In the beginning of June, LinkedIn users discovered that hackers had gained access to the site’s databases after 6.5 million LinkedIn passwords were posted on an underground forum. The lawsuit was filed on June 18, 12 days after the breach, on behalf of a single subscriber to LinkedIn’s premium services. The suit is seeking certification as a class-action lawsuit on behalf of every LinkedIn user.
The suit itself claims that LinkedIn failed to use “long standing industry standard encryption protocols,” exposing the personally identifiable information of its users. In addition to that, LinkedIn engaged in deceptive practices, according to the suit, by claiming to use industry standard protocols to safeguard the information of its users.
LinkedIn isn’t just lying down and taking this, however, claiming that the suit is “without merit” and saying that it would defend itself “vigorously”. According to LinkedIn Spokeswoman Erin O’Harra in an email statement, “No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured. Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation.”
It has been reported that LinkedIn stored its user passwords in “hashed” or encrypted formats, though they did not “salt” them as many other websites do. What that means is that LinkedIn didn’t add additional random characters to make the encryption more difficult to break. After being posted in their hashed format, some of the passwords were decrypted, though LinkedIn has since started salting passwords.
The lawsuit also states that LinkedIn relied on an outmoded hashing format in order to store passwords and did not adhere to “basic security checklists” supplied by the U.S. National Institute of Standards and Technology tp prevent the type of attack, which is known as an SQL injection attack, that allowed the hackers to gain access.
Source: Computer World – LinkedIn hit with lawsuit over massive data breach