LinkedIn hit with $5 million class action suit

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.zdnet.com/blog/identity/linkedin-hit-with-5-million-class-action-suit/548

Summary: An Illinois woman files a class action suit against LinkedIn
claiming that violation of its own privacy policies and user
agreements allowed hackers to steal 6.46 million passwords.

Updated June 20, 2012 at 3:04 pm PST with comment from LinkedIn

An Illinois woman who claims LinkedIn violated its own user agreement
and privacy policy is spearheading a class action lawsuit against the
business-networking site in wake of the recent loss to hackers of
private data.

Katie Szpyrka, a registered LinkedIn account holder since 2010, claims
the company “failed to properly safeguard its users’ digitally stored
personally identifiable information including email addresses,
passwords, and login credentials.”

Szpyrka, who filed the suit in United State District Court in the
Northern District of California, is demanding a jury trial on grounds
including breach of contract and negligence.

She says the users in the class action group include individuals and
entities in the United States who had a LinkedIn account on or before
June 6, 2012, including those who paid for an upgraded account.

Two weeks ago, LinkedIn reported that Russian hackers had stolen
nearly 6.5 million passwords. Users, who are prone to reuse passwords
across different web sites, were urged to change their passwords. With
more than 150 million users, the password theft involved less than 5%
of LinkedIn’s user base.

“No member account has been breached as a result of the incident, and
we have no reason to believe that any LinkedIn member has been
injured,” said Erin O’Harra, a public relations associate with
LinkedIn. “Therefore, it appears that these threats are driven by
lawyers looking to take advantage of the situation. We believe these
claims are without merit, and we will defend the company vigorously
against suits trying to leverage third-party criminal behavior.”

In the suit, Szpyrka, who pays $26.95 per month for a premium LinkedIn
account, says LinkedIn’s privacy policy promises users that all the
information they provide will be protected with industry standards and
technology.

She says LinkedIn failed to comply with basic industry standards by
using a weak encryption format. The company had encrypted passwords
with a SHA-1 algorithm, but according to experts the fact the company
neglected to “salt” the hash weakened the security.

The suit specifically points out that LinkedIn failed to salt the
passwords before storing them. The salt adds a dimension to the hash
that makes it more difficult to uncover the protected data.

The suit also references preliminary reports that said hackers used an
SQL injection attack, which lets hackers access databases via a Web
site.

SQL injection attacks have been one of the most common forms of attack
dating back to 2007. The first attacks date back to 2005. The suit
sites National Institute of Standards and Technology checklists as
common guidance for avoiding SQL injection attacks.

The suit also faults LinkedIn for not publicizing the attack and says
it only came to light after it was announced by third-parties. The
suit claims the company later admitted it “was not handling user data
in accordance with best practices.”

The suit claims that damages are in excess of $5 million.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.