Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • IT Management
    • Storage

    LinkedIn Faces $5 Million Lawsuit After Password Breach

    Written by

    Jeff Burt
    Published June 21, 2012
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      LinkedIn is the target of a $5 million class-action suit that claims the social networking site€™s data security measures were ineffective, resulting in about 6.5 million user passwords being stolen by a hacker.

      The lawsuit, filed in U.S. District Court in Northern California on behalf of Illinois resident Katie Szpyrka, claims that while LinkedIn says it protects personally identifiable information (PII) with industry-standard practices and protocol, it failed to follow through with basic steps. Specifically, the company, which has about 120 million users, used a technique called hashing to encrypt information, but failed to add a second layer called salting.

      LinkedIn not only used an outdated hashing technique, but also, €œstoring users€™ passwords in hashed format without first €˜salting€™ the passwords runs afoul of conventional data protection methods, and poses significant risks to the users€™ €¦ data,€ according to claims in the 23-page lawsuit, which was filed June 18.

      LinkedIn used a hash-based encryption technique called SHA-1, which is considered by some experts as being safer than MD5, but still flawed, especially if not accompanied by salting.

      €œIndustry standards require at least the additional process of adding €˜salt€™ to a password before running it through a hashing function€”a process whereby random values are combined with a password before the text is input into a hashing function,€ the lawsuit claims. €œThis procedure drastically increases the difficulty of deciphering the resulting encrypted password.

      €œMore common practice is to salt the passwords before inputting them into a hash function, then to salt the resulting hash value, and again run the hash value through a hashing function. Finally, that fully encrypted password is stored on a separate and secure server apart from all other user information.€

      LinkedIn€™s data security procedures €œfall well short of this level of security,€ the lawsuit claims.

      The stolen information came to light June 6, when a hacker posted the hashed passwords to an online password cracking forum. According to security consulting firm KoreLogic, almost 80 percent the passwords have been encrypted, and users should expect that their passwords will be leaked. In statements and blog postings over the past two weeks, LinkedIn officials have said that they have not seen evidence that any users have been harmed by the breach, and assured users that they were improving the security of the information they hold, including using the salting technique to strengthen the hashed data.

      €œAgain, we are not aware of any member information being published at any time in connection with the list of stolen passwords,€ Vicente Silveira, a director at LinkedIn, said in a June 9 blog post. €œThe only information published was the passwords themselves.€

      In response to the lawsuit, LinkedIn spokesperson Erin O’Harra told Reuters that there was no merit to the lawsuit, which was filed “by lawyers looking to take advantage of the situation. No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured.”

      Right after the news of the data breach was made public, LinkedIn officials urged users to change their passwords, advice that was repeated by most security experts, including those from KoreLogic. Experts and journalists also reiterated the various steps to take to strengthen passwords, from using a combination of letters, numbers and punctuation to changing the passwords often to ensuring that they don€™t use the same password for multiple sites.

      Such steps are good ones to follow, but user efforts are only half the data security issue, according to Richard Moulds, vice president of product management and strategy at Thales e-Security, a security consulting and solutions provider.

      €œThe other half is determining how Websites protect those passwords,€ Moulds told eWEEK. €œYou€™ve got no way of determining what procedures they€™ve put in place.€

      For Websites that are built on transactions and deal with such data as credit card numbers€”think financial services institutions or retail sites€”there are regulations in place that set high security requirements. However, for other sites, such as Facebook and LinkedIn, there are no such regulations, even though companies like these hold massive amounts of personal information from hundreds of millions of people.

      At the same time, some of these Web-based companies are beginning to make transactions, Moulds said. For example, LinkedIn charges anywhere from $19.95 to $99.95 a month for upgrading to a €œpremium€ account, according to the lawsuit. The named plaintiff, Szpyrka, reportedly paid LinkedIn $26.95 a month for a premium account.

      Still, LinkedIn and similar sites are under no requirements regarding security, and users have few ways to determine the level of security on them, Moulds said. For example, users couldn€™t know that LinkedIn, at the time of the data breach, was using a weak hashing technology and did not have a second level of security in place, such as salting. Now, after news of the data breach surfaced, LinkedIn officials are out front with the security measures in place.

      €œ[O]ne of our major initiatives was the transition from a password database system that hashed passwords, i.e., provided one layer of encoding, to a system that both hashed and salted the passwords, i.e., provided an extra layer of protection that is a widely recognized best practice within the industry,€ LinkedIn€™s Silveira said in his blog post. €œThat transition was completed prior to news of the password theft breaking [June 6]. We continue to execute on our security road map, and we€™ll be releasing additional enhancements to better protect our members.€

      The LinkedIn data breach also raises another issue, Thales€™ Moulds said. For many organizations that do business online, such as banks and retail companies, security is a differentiator from competitors. If a user is unhappy with Bank of America and its security practices, for example, they can always move to another bank. The same goes for retail sites.

      However, sites like Facebook and LinkedIn don€™t have such competition. They are the only significant players in their areas, so unless there is a breach like the one at LinkedIn, there is little competitive reason for them to spend the time or money to bulk up their security rather than expand their services.

      €œIt€™s a quirk of the Internet, where areas are dominated by one company,€ Moulds said.

      Jeff Burt
      Jeff Burt
      Jeffrey Burt has been with eWEEK since 2000, covering an array of areas that includes servers, networking, PCs, processors, converged infrastructure, unified communications and the Internet of things.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×