LinkedIn has been served with a potential $5 million class-action lawsuit on behalf of all users that charges the company with failing to use "basic industry standard" security practices.
The suit ties that alleged failure to the massive June 6 leak that saw millions of LinkedIn passwords posted online and subsequently cracked within hours.
According to court documents, the plaintiff, Illinois resident Katie Szpyrka, has been a registered LinkedIn user since 2010 and a premium member since late 2010 - in other words, she was forking out money for LinkedIn's services.
The suit, filed on Monday, seeks certification as a class-action lawsuit on behalf of all LinkedIn users.
The lawsuit charges LinkedIn with failing to meet its contractual obligations to protect users' sensitive personally identifiable information (PII).
From the filing:
"LinkedIn digitally stores millions of users' PII in a large-scale commercial database on its servers, and promises through its Privacy Policy that it uses 'industry standard protocols and technology' to protect such PII.""However, and despite its contractual obligation to use best practices in storing user data, LinkedIn failed to utilize basic industry standard encryption methods. In particular, LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed format."
A salt is a string that is added to your password before it is cryptographically hashed. This process ensures that password lists cannot be pre-computed based on dictionary attacks or similar techniques.
The problem is twofold, the suit continued. First, SHA-1 is outdated. It was first published by the National Security Agency in 1995.
On top of that, storing users' passwords in hashed format without first salting them "runs afoul of conventional data protection methods, and poses significant risks to the integrity [of] users' sensitive data," as the suit states.
Salting is just the bare minimum level of protection LinkedIn should have used, the suit claims.
More common standard practice, it states, is to salt passwords before inputting them into a hash function, to then salt the resulting hash value, to run that hash value through a hashing function, and to store the final value on a separate, secure server, apart from any other user information.
By failing to use such practices, LinkedIn "drastically exacerbated the consequences of a hacker bypassing its outer layer of security," the suit states, and thereby violated its Privacy Policy's promise to comply with industry-standard protocols and technology for data security.
To make matters worse, LinkedIn was allegedly breached via SQL injection - one of the lowest-hanging fruits on the vulnerability tree. (To the best of my knowledge, LinkedIn has never confirmed how it was breached - but there have been widespread suggestions that it was via SQL injection).
In fact, the National Institute of Standards and Technology (NIST) provides basic network security checklists that enumerate ways to avoid getting hacked by SQL injection, the suit points out.
On top of that, SQL injection is No. 1 on the OWASP Top Ten list of the most critical web application security flaws.
In an email to IDG News Service, LinkedIn spokeswoman Erin O'Harra called the suit "without merit" and said the company would defend itself "vigorously."
Computerworld quotes O'Harra's email as continuing in this vein:
"No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured. Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation."
Is it just bravado on LinkedIn's part?
The suit mentions previous litigation filed by the Federal Trade Commission against various corporations that claimed to secure their customers' data while remaining vulnerable to SQL injection - notably, a 2003 complaint filed against the Guess? clothing company.
The suit sure does seem to have merit, given precedence and LinkedIn's sorry security practices.
On top of adopting better security processes, I'd hazard a guess that LinkedIn has its work cut out for it when it comes to defending itself in court over this incident.
