LinkedIn hit with class action suit following password leak
It seems that LinkedIn can’t catch a break these days.
Following the discovery that its mobile app for iOS devices is sending potentially confidential information to the company servers without the users’ knowledge, the leak of 6.5 million of its users’ passwords, and the poor job they made at keeping users informed about the situation and the likely consequences, the company has been hit with a class action lawsuit.
The leader is Illinois resident Katie Szpyrka, who has been a LinkedIn customer since 2010, and has been paying $26 a month for a premium account.
In the lawsuit she alleges that LinkedIn violated its own privacy policy when it failed to salt the hashed passwords before storing them, making thus the job much easier for the attackers.
“LinkedIn failed to use a modern hashing and salting function, and therefore drastically exacerbated the consequences of a hacker by bypassing its outer layer of security. In so doing, defendant violated its privacy policy’s promise to comply with industry standard protocols and technology for data security,” it says in the complaint.
“That LinkedIn did not recognize its databases had been compromised until it was informed through public channels provides further evidence that the company didn’t adhere to industry standards. Specifically, LinkedIn did not implement, or it poorly implemented, an intrusion detection system to properly identify and quickly respond to attacks on its servers.”
Szpyrka also claims that the professional social network failed to warn the users about the breach adequately and in time. When the warning emails were finally sent, half a million of them either never reached the users, as they were flagged by anti-spam filters, or were ignored by the users themselves as there were no obvious signs that the emails were legitimate.
According to ThreatPost, LinkedIn spokeswoman Erin O’Harra said the lawsuit is “without merit”, pointed out that no member account has been breached as a result of the incident, and that the company will defend itself “vigorously”.
Szpyrka is asking for $5 million or more in damages.