Class-action filed against LinkedIn

Read time 1min 40sec

A class-action suit, seeking at least $5 million in damages, has been filed against professional social networking site LinkedIn in the US. The company is accused of failing to take adequate measures to protect its users' personal information - including e-mail addresses and login credentials.

The class-action follows the widely publicised hack on LinkedIn that saw 6.5 million encrypted user passwords being leaked online. The passwords (without usernames) were leaked on a Russian forum in SHA-1 (hashed) format. After investigating the matter, LinkedIn confirmed that at least some of the passwords did correspond to LinkedIn user accounts.

Lead plaintiff in the class-action suit, Katie Szpryka (a premium account holder on LinkedIn), accuses the networking site of negligence and breach of contract for failing to securely encrypt its user database.

The hack exposed the fact that LinkedIn was not isolating users' credentials on separate secure machines, and did not “salt” passwords before encoding. Salting involves adding random characters to passwords before being cryptographically hashed - making it difficult to reconstruct the original password. Since the hack, LinkedIn has introduced such security measures.

The suit also notes that regardless of whether a user signs up for a free or premium account, LinkedIn asserts through its privacy policy that it will safeguard its users' sensitive personally identifiable information (PII). Quoting the privacy policy, it states: “All information that you provide will be protected with industry-standard protocols and technology.”

The suit states: “While some security threats are unavoidable in a rapidly developing technological environment, LinkedIn's failure to comply with long-standing industry-standard encryption protocols jeopardised its users' PII, and diminished the value of the services provided by the defendant - as guaranteed by its own contractual terms.”

See also