LinkedIn has been hit with a $5m (£3.2m) class-action lawsuit for failing to provide adequate security, which led to the recent leak of millions of users' passwords online.


Brought by plaintiff Katie Szpyrka of Illinois, US, the lawsuit charges LinkedIn with failing to use "basic industry security" practices and ties that with the 6 June leak of million of passwords appearing online.

Szpyrka, who filed the lawsuit on behalf of LinkedIn's 120 million members on 18 June, has been a registered LinkedIn user since 2010 and a paying premium member since later that year.

The lawsuit charges LinkedIn with failing to meet its contractual obligations to protect the sensitive and personally identifiable information (PII) of its users.

"LinkedIn digitally stores millions of users' PII in a large-scale commercial database on its servers, and promises through its Privacy Policy that it uses 'industry standard protocols and technology' to protect such PII," the filing reads.

It continues: "However, and despite its contractual obligation to use best practices in storing user data, LinkedIn failed to utilize basic industry standard encryption methods.

"In particular, LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed format."

LinkedIn had been criticised for failing to 'salt' passwords stored on its servers. What this means, as explained by security expert Chester Wisniewski of Sophos, is that a string of random characters is added to the saved passwords.

"It means that password lists cannot be pre-computed based on dictionary attacks or similar techniques. This is an important factor in slowing down people trying to brute force passwords. It buys time and unfortunately the hashes published from LinkedIn did not contain a salt," Wisniewski explains.

Adding a salt to passwords prevents hackers from using an automated programme to scan through the database of stolen passwords to crack them.

LinkedIn has responded to the $5m lawsuit, stating that it is "without merit". Spokesperson Erin O'Hara told IDG News Service: "No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured.

"Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation."

News broke on 6 June that million of LinkedIn passwords had appeared online, but by 7 June it was thought that many more than that had been published online.

Internet security company Imperva contacted IBTimes UK to say that it believes more than the originally stated 6.5 million accounts have been compromised.

"The password list is missing the 'easy' passwords. The password files do not contain easy to crack passwords such as '123456' that are traditionally the most common choice of passwords."

The company also states: "Passwords are typically listed only once. In other words, the list doesn't reveal how many times a password was used by the customers. This means that a single entry in this list can be used by more than one person."