LinkedIn Settles Pair of Member Class Actions

     SAN JOSE, Calif. (CN) – LinkedIn settled two class actions Tuesday to compensate its members for hacked passwords and its own practice of harvesting members’ personal information and spamming their contacts.
     In the first case, U.S. District Judge Edward Davila gave final approval to a $1.25 million settlement with LinkedIn members who had their passwords posted online by hackers, after accepting class members’ theory that the professional networking site had promised paying members an “industry standard data security” which it failed to provide.
     The federal class action was filed in June 2012 by lead plaintiff Katie Szpyrka after 6.4 million members had their passwords posted online by hackers who had infiltrated LinkedIn’s system.
     Szpyrka claimed the social network failed to encrypt 120 million users’ “personally identifiable information,” including email addresses, passwords and login credentials. She also contended LinkedIn stored users’ passwords in an “outdated hashing function” that was published by the National Security Agency in 1995, the “unsalted SHA1 hashed format.”
     Davila had refused LinkedIn’s attempt to get the class action dismissed after finding Szpykra had alleged a plausible explanation for why the company’s privacy policy is likely to have deceived the public.
     One year later, LinkedIn faced another federal class action for its own practices of collecting members’ emails and contacts and then barraging those contacts with promotional spam.
     Members claimed that they were required to provide an external email user name and password when creating an account which LinkedIn then used to hack into the user’s external email account and extract email addresses.
     If a user left an external email account open, members said LinkedIn pretended to be that user and downloaded the email addresses contained anywhere in that account to its servers, including the addresses of former spouses, clients and opposing counsel.
     Members said the networking site downloaded email addresses without their consent, despite promising users that “[w]e will not email anyone without your permission.” LinkedIn then sent “multiple emails endorsing its products, services, and brand to potential new users, plus two follow-up reminder emails,” users said.
     U.S. District Judge Lucy H. Koh granted preliminary approval of a proposed settlement in that case, also on Tuesday, with final approval expected to be determined in February 2016. The class consists of about 20.8 million current and former LinkedIn users.
     No settlement amount was listed in Koh’s preliminary approval.
     As for the 800,000 members who had their passwords exposed online by hackers, Davila approved the settlement so members can expect settlement funds to be dispersed after $339,109 of the funds are used to pay attorneys’ fees and costs.

%d bloggers like this: