(CN) – LinkedIn may be liable for fraud after hackers infiltrated its system in 2012 and posted about 6.5 million user passwords on the Internet, a federal judge ruled.
U.S. District Judge Edward Davila in San Jose, Calif., refused to dismiss a class action accusing the business-networking site of fraud under California’s Unfair Competition Law.
On June 9, 2012 – three days after the breach – LinkedIn announced that it would uprgrade its password encryption method to provide an extra layer of protection.
Had LinkedIn disclosed its lax security practices at the time, users insisted in their lawsuit, they never would have bought premium memberships.
In an email, the plaintiff asked to be named as Khalilah Gilmore-Wright. She and other users claimed that LinkedIn’s method of encrypting passwords before the breach, a process called “hashing,” fell below industry standards at the time.
Hashing generates a string of numbers or letters for each password.
Wright argued that most companies use at minimum a two-layered approach, in which they add binary digits to the password, known as “salting,” and then hash the salted password.
Davila said Wright’s allegations “are specific to support her conclusion that LinkedIn’s representation was false.”
“She alleges that LinkedIn used a particular security practice, is specific about what that security practice entailed, alleges that LinkedIn’s practice fell below the ‘bare minimum’ security practice in LinkedIn’s industry, and she is specific about what that ‘bare minimum’ security practice entails,” he wrote.
However, he dismissed Wright’s second and third claims, for unfair competition and breach of contract, explaining that they fall within his previous dismissal of the first amended complaint, as Wright herself concedes.
“[A]llowing for further amendment would be futile,” Davila wrote.
- Student’s ‘Crack Shack’ Reporting Vindicated
- Pipeline Damage Costs|Fall Primarily to U.S.