LinkedIn taken to court over password leak
Two weeks after the disclosure of a huge password leak at LinkedIn, the business network is facing a multi-million-dollar lawsuit. In San Jose, California, an Illinois woman has filed a class action complaint on behalf of other LinkedIn members. The woman claims the company put personal data from users at risk by using outdated security technology and took too long to inform users after the incident. The claim value has been set at more than $5 million.
The complainant accuses LinkedIn of having used an outdated hash algorithm, the SHA1 format that dates back to 1995, to protect users' data. According to the claim, the company neglected to salt users' passwords, a procedure that involves adding random values to make it more difficult to convert hashes back into plain text. In doing so, LinkedIn caused "significant risks to the integrity of users' sensitive data", the suit says.
In a statement released on Wednesday, LinkedIn emphasised that no member account was breached as a result of the incident. "It appears that these threats are driven by lawyers looking to take advantage of the situation", the company said, adding that it believes the claims are without merit, and will defend itself vigorously against them.
The true scope of the recent data thefts, which also affected the eHarmony dating site and the Last.fm music service, is difficult to gauge. A Russian web site published a list of almost 6.5 million LinkedIn password hashes, and the 2.5 million hashes from Last.fm that have been disclosed are believed to be part of a list containing 17 million entries.
- LinkedIn and its password problems, comment by The H Security.