LinkedIn Faces $5 Million Lawsuit After Password Breach

The case involving the leaking of 6.5 million passwords raises issues of security at dominant Websites like LinkedIn and Facebook.

LinkedIn is the target of a $5 million class-action suit that claims the social networking site€™s data security measures were ineffective, resulting in about 6.5 million user passwords being stolen by a hacker.

The lawsuit, filed in U.S. District Court in Northern California on behalf of Illinois resident Katie Szpyrka, claims that while LinkedIn says it protects personally identifiable information (PII) with industry-standard practices and protocol, it failed to follow through with basic steps. Specifically, the company, which has about 120 million users, used a technique called hashing to encrypt information, but failed to add a second layer called salting.

LinkedIn not only used an outdated hashing technique, but also, €œstoring users€™ passwords in hashed format without first €˜salting€™ the passwords runs afoul of conventional data protection methods, and poses significant risks to the users€™ €¦ data,€ according to claims in the 23-page lawsuit, which was filed June 18.

LinkedIn used a hash-based encryption technique called SHA-1, which is considered by some experts as being safer than MD5, but still flawed, especially if not accompanied by salting.

€œIndustry standards require at least the additional process of adding €˜salt€™ to a password before running it through a hashing function€”a process whereby random values are combined with a password before the text is input into a hashing function,€ the lawsuit claims. €œThis procedure drastically increases the difficulty of deciphering the resulting encrypted password.

€œMore common practice is to salt the passwords before inputting them into a hash function, then to salt the resulting hash value, and again run the hash value through a hashing function. Finally, that fully encrypted password is stored on a separate and secure server apart from all other user information.€

LinkedIn€™s data security procedures €œfall well short of this level of security,€ the lawsuit claims.

The stolen information came to light June 6, when a hacker posted the hashed passwords to an online password cracking forum. According to security consulting firm KoreLogic, almost 80 percent the passwords have been encrypted, and users should expect that their passwords will be leaked. In statements and blog postings over the past two weeks, LinkedIn officials have said that they have not seen evidence that any users have been harmed by the breach, and assured users that they were improving the security of the information they hold, including using the salting technique to strengthen the hashed data.

€œAgain, we are not aware of any member information being published at any time in connection with the list of stolen passwords,€ Vicente Silveira, a director at LinkedIn, said in a June 9 blog post. €œThe only information published was the passwords themselves.€

In response to the lawsuit, LinkedIn spokesperson Erin O'Harra told Reuters that there was no merit to the lawsuit, which was filed "by lawyers looking to take advantage of the situation. No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured."

Right after the news of the data breach was made public, LinkedIn officials urged users to change their passwords, advice that was repeated by most security experts, including those from KoreLogic. Experts and journalists also reiterated the various steps to take to strengthen passwords, from using a combination of letters, numbers and punctuation to changing the passwords often to ensuring that they don€™t use the same password for multiple sites.

Such steps are good ones to follow, but user efforts are only half the data security issue, according to Richard Moulds, vice president of product management and strategy at Thales e-Security, a security consulting and solutions provider.

€œThe other half is determining how Websites protect those passwords,€ Moulds told eWEEK. €œYou€™ve got no way of determining what procedures they€™ve put in place.€

For Websites that are built on transactions and deal with such data as credit card numbers€”think financial services institutions or retail sites€”there are regulations in place that set high security requirements. However, for other sites, such as Facebook and LinkedIn, there are no such regulations, even though companies like these hold massive amounts of personal information from hundreds of millions of people.

At the same time, some of these Web-based companies are beginning to make transactions, Moulds said. For example, LinkedIn charges anywhere from $19.95 to $99.95 a month for upgrading to a €œpremium€ account, according to the lawsuit. The named plaintiff, Szpyrka, reportedly paid LinkedIn $26.95 a month for a premium account.

Still, LinkedIn and similar sites are under no requirements regarding security, and users have few ways to determine the level of security on them, Moulds said. For example, users couldn€™t know that LinkedIn, at the time of the data breach, was using a weak hashing technology and did not have a second level of security in place, such as salting. Now, after news of the data breach surfaced, LinkedIn officials are out front with the security measures in place.

€œ[O]ne of our major initiatives was the transition from a password database system that hashed passwords, i.e., provided one layer of encoding, to a system that both hashed and salted the passwords, i.e., provided an extra layer of protection that is a widely recognized best practice within the industry,€ LinkedIn€™s Silveira said in his blog post. €œThat transition was completed prior to news of the password theft breaking [June 6]. We continue to execute on our security road map, and we€™ll be releasing additional enhancements to better protect our members.€

The LinkedIn data breach also raises another issue, Thales€™ Moulds said. For many organizations that do business online, such as banks and retail companies, security is a differentiator from competitors. If a user is unhappy with Bank of America and its security practices, for example, they can always move to another bank. The same goes for retail sites.

However, sites like Facebook and LinkedIn don€™t have such competition. They are the only significant players in their areas, so unless there is a breach like the one at LinkedIn, there is little competitive reason for them to spend the time or money to bulk up their security rather than expand their services.

€œIt€™s a quirk of the Internet, where areas are dominated by one company,€ Moulds said.