20 Jun 2012

LinkedIn Sued On Account of Leaked Password Incident


The lawsuit was filed on Monday on behalf of LinkedIn premium account holder Katie Szpyrka, claiming LinkedIn did not comply with “long standing industry standard encryption protocols”, as reported by PC World’s Cameron Scott.

The legal action, which also points to the platform’s failure to provide adequate protection against SQL injections, comes two weeks after news that a leak of 6.5 million hashed passwords struck the professional social network and proved its vulnerability to hacking.

According to a June 12 LinkedIn press release, “there [had] been no reports of compromised LinkedIn accounts as a result of this password theft.” A reference to stolen passwords not being leaked together with their corresponding email logins was intended to temper the severity of the incident, though no actual guarantee existed that the attackers had not got hold of the respective addresses.

The LinkedIn password leak brought to light the fact that the network’s technology team was in the process of fixing a possible vulnerability in its password database, namely the fact that passwords were only  hashed, lacking the extra layer of protection provided by salting (random bits added to the hash).