LinkedIn Settles Password Theft Lawsuit

Tom Jowitt,

LinkedIn pays nearly £1m to settle legal fight after security breach compromised 6.5 million user passwords

The financial impact of hacking attacks and security breaches continues, with LinkedIn coughing up cash to settle a lawsuit.

The business-oriented social network has paid $1.25m (£810,000) to settle the legal claim filed just after the theft of millions of passwords in the summer of 2012.

Massive Theft

It was in early June 2012 when LinkedIn first became aware of reports that almost 6.5 million passwords for the social networking site had been stolen and published online.

A Russian hacker had acquired password hashes, cracked many of them and posted them on a Russian website, in a move that potentially left millions of LinkedIn users vulnerable to account hijacking and personal data theft.

LinkedIn PeopleFollowing the breach, LinkedIn announced “a long-planned transition” to a password database system that both hashes and salts the passwords, to provide a double-layer of security.

Following the breach, the social network apologised and enlisted the help of the FBI in the matter, but that did not stop a class action lawsuit led by plaintiff Katie Szpyrka, who alleged that LinkedIn failed to properly safeguard users’ personally identifiable information, and violated its own user agreement and privacy policy by not using “long-standing industry standard protocols and technology.”

LinkedIn however consistently refuted the lawsuit, and indeed claimed it was inspired by lawyers wanting to exploit the situation. It confirmed that the password theft had cost the company between $500,000 (£322,705) and $1m (£645,000).

But now LinkedIn has agreed to settle the lawsuit and the $1.25m (£810,000) cash settlement will be shared among LinkedIn’s American users. And only those who paid to use the site between 15 March 2006 and 7 June 2012 are eligible, and the maximum each person can receive is $50 (£32).

To claim, qualifying LinkedIn users have to go to this website in order to get their compensation. Users have until May 2 to file their claim, and if they don’t file a claim, they will receive no compensation.

LinkedIn Win?

LinkedIn was keen to stress on the website that the “Court has not decided whether the Plaintiff or the Defendant should win this case. Instead, both sides agreed to a settlement.”

And with a settlement figure of just $50 for each qualifying user, plus the fact that it is now up to the court to determine the proper amount of any attorneys’ fees, some may feel that LinkedIn may have come out on top of the lawsuit, despite the damage the theft did to LinkedIn’s security credentials.

And that 2012 password theft was not the first time that LinkedIn has faced issues over its passwords.

In late 2010, Yahoo, Twitter and LinkedIn all asked their users to change their passwords, after a data breach at online publisher Gawker Media resulted in about 200,000 login details being compromised.

Are you a security guru? Try our quiz!