Social networking site LinkedIn is facing a $5 million class-action lawsuit over its information security practices, in response to an attacker who apparently obtained 6.5 million users' passwords earlier this month, according to an article from Information Week.
The hacker posted the passwords, along with an additional 1.5 million from dating website eHarmony, on a password-cracking forum on the InsidePro website, the article says.
The complaint against LinkedIn was filed Monday in U.S. District Court in the Northern District of California for plaintiff Katie Szpyrka, a Chicago-based associate at a real estate firm, by the law firm of Edelson McGuire, Information Week reports.
The lawsuit frames the case against LinkedIn as a question of whether the company's security practices were adequate to protect its customers' personally identifiable information (PII), as the company had promised, the article says.
"Through its Privacy Policy, LinkedIn promises its users that 'all information that [they] provide [to LinkedIn] will be protected with industry standard protocols and technology,'" reads the lawsuit. "In direct contradiction to this promise, LinkedIn failed to comply with basic industry standards by maintaining millions of users' PII in its servers' databases in a weak encryption format, and without implementing other crucial security measures."
The lawsuit suggests that LinkedIn "employed a troubling lack of security measures" evidenced by its reportedly being exploited via a SQL injection attack, as well as for failing to salt its passwords. "Industry standards require at least the additional process of adding 'salt' to a password before running it through a hashing function—a process whereby random values are combined with a password before the text is input into a hashing function. This procedure drastically increases the difficulty of deciphering the resulting encrypted password," read the lawsuit.
LinkedIn has been defending its security practices and leadership since the breach, and the site is expected to fight the lawsuit.
According to Darain Faraz, a LinkedIn communications manager who corresponded with Information Week via email: "No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured. Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior."