LinkedIn is facing legal action over the big password breach, but says lawyers are just trying to exploit the situation
A class action lawsuit has been launched against LinkedIn after over 6 million of the social network’s user passwords were stolen and posted online.
The court filing alleged LinkedIn was using “insufficient encryption methods to secure the user data”, meaning hackers could “easily” decipher a significant number of the passwords. It claimed early reports had indicated an SQL injection attack was used to acquire the passwords, which would again point to weak security practices at LinkedIn.
The stolen LinkedIn passwords were stored as unsalted SHA-1 hashes, which offers some protection, but many in the security industry see the standard as an inherently insecure one.
Following the breach, LinkedIn announced “a long-planned transition” to a password database system that both hashes and salts the passwords, providing a double-layer of security.
LinkedIn refuted the claims in the court filing, claiming it was inspired by lawyers wanting to exploit the situation.
“We have recently learned that a class action lawsuit has been filed against the company related to the theft of hashed LinkedIn member passwords that were published on an unauthorised website,” a spokesperson told TechWeekEurope.
“No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured.
“Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior.”
Are you a security lover? Try our quiz!