Saturday, May 27, 2023 | Back issues
Courthouse News Service Courthouse News Service

LinkedIn Can’t Shake Fraud Claims Over 2012 Hacking

(CN) - LinkedIn may be liable for fraud after hackers infiltrated its system in 2012 and posted about 6.5 million user passwords on the Internet, a federal judge ruled.

U.S. District Judge Edward Davila in San Jose, Calif., refused to dismiss a class action accusing the business-networking site of fraud under California's Unfair Competition Law.

Users had argued that they upgraded to premium memberships after reading LinkedIn's privacy policy, which states that their information "will be protected with industry standard protocols and technology."

On June 9, 2012 - three days after the breach - LinkedIn announced that it would uprgrade its password encryption method to provide an extra layer of protection.

Had LinkedIn disclosed its lax security practices at the time, users insisted in their lawsuit, they never would have bought premium memberships.

LinkedIn countered that its privacy policy applies to both paying and non-paying members, so the policy cannot be considered a "material inducement" for premium upgrades.

"Under no plausible theory can this single sentence in the privacy policy that applies to all LinkedIn members be considered an 'inducement' to the purchase of a premium subscription, the 'advertisement' of premium services, or an 'effective marketing technique' for premium service," the company argued.

But Judge Davila said the lead plaintiff "has alleged a plausible explanation for why [the privacy policy] is likely to deceive the public."

In an email, the plaintiff asked to be named as Khalilah Gilmore-Wright. She and other users claimed that LinkedIn's method of encrypting passwords before the breach, a process called "hashing," fell below industry standards at the time.

Hashing generates a string of numbers or letters for each password.

Wright argued that most companies use at minimum a two-layered approach, in which they add binary digits to the password, known as "salting," and then hash the salted password.

Davila said Wright's allegations "are specific to support her conclusion that LinkedIn's representation was false."

"She alleges that LinkedIn used a particular security practice, is specific about what that security practice entailed, alleges that LinkedIn's practice fell below the 'bare minimum' security practice in LinkedIn's industry, and she is specific about what that 'bare minimum' security practice entails," he wrote.

However, he dismissed Wright's second and third claims, for unfair competition and breach of contract, explaining that they fall within his previous dismissal of the first amended complaint, as Wright herself concedes.

"[A]llowing for further amendment would be futile," Davila wrote.

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.