LinkedIn Blew Security, Class Claims

     SAN JOSE (CN) - Hackers infiltrated LinkedIn's website and posted more than 6 million LinkedIn users' passwords online, customers claim in a federal class action.
     Lead plaintiff Katie Szpyrka claims the social network failed to encrypt 120 million users' "personally identifiable information," including email addresses, passwords and login credentials.
     "Sometime this year, hackers infiltrated LinkedIn's servers and accessed database(s) containing its users' PII [personally identifiable information]," according to the complaint. "After retrieving this data, the hackers publicly posted over 6 million LinkedIn users' passwords online. Because LinkedIn used insufficient encryption methods to secure the user data, hackers were able to easily decipher a large number of the passwords."
     Szpyrka claims LinkedIn stored users' passwords in an "outdated hashing function" that was published by the National Security Agency in 1995, the "unsalted SHA1 hashed format."
     Industry standards require adding "salt," or assigning random values to a password, before the text is input into a hashing function, the complaint states.
     "While some security threats are unavoidable in a rapidly developing technological environment, LinkedIn's failure to comply with long standing industry standard encryption protocols jeopardized its users' PII, and diminished the value of the services provided by defendant - as guaranteed by its own contractual terms," the complaint states.
     Approximately 6.5 million LinkedIn users' hashed passwords were posted online on June 6, Szpyrka says. Three days later, she claims, the company "admitted that it was not handling user data in accordance with best practices."
     Szpyrka, a LinkedIn user since 2010, calls the announcement and subsequent promised updates to the website, "too little too late."
     "LinkedIn failed to use a modern hashing and salting function, and therefore drastically exacerbated the consequences of a hacker by bypassing its outer layer of security," the complaint states. "In so doing, defendant violated its privacy policy's promise to comply with industry standard protocols and technology for data security. ...
     "Had LinkedIn used proper encryption methods, and a hacker were able to penetrate LinkedIn's network, he would be limited in his ability to inflict harm."
     LinkedIn, launched in May 2003, "operates the world's largest professional network on the Internet with more than 120 million members in over 200 countries and territories [and] represents a valuable demographic for marketers with an affluent and influential membership," according to its website. Accounts cost from $20 to $100 per month.
     Szpyrka, of Illinois, seeks class certification, injunctive relief, costs and damages for breach of contract, negligence and unfair competition.
     She is represented by Sean Reis with Edelson McGuire of Rancho Santa Margarita.