Hot Docs: LinkedIn facing class action over 6.5 million stolen passwords

June 21, 2012

LinkedIn HackedAs you may or may not know, millions of LinkedIn users’ passwords were retrieved by hackers from LinkedIn’s database earlier this year.

This occurrence became public knowledge after over 6 million of these passwords were posted online on June 6, 2012 (if you’re concerned that your password could be among them, you can check at LeakedIn or LastPass).

Naturally, LinkedIn is facing a class-action lawsuit over this event.

But is the leak really LinkedIn’s fault?

Let’s take a look at the facts.

According to the complaint, LinkedIn utilized a password encryption method that, being at least ten years out of date, was easily decipherable.

Specifically, by its own admission, LinkedIn had previously only “hashed” its users’ passwords.

“Hashing” a password means running it through a cryptographic hash function and converting it into an unreadable, encrypted format.

In other words, “hashing” is encoding a password.

According to the complaint, current industry standard practice is to add “salt” to a password – that is, adding random values to a password before “hashing” it.

And the industry standard practice is to salt the password not once, but twice: once before the initial hashing, and then again to the resulting hash before running it through the hashing function a second time.

According to the complaint, this makes the password “indecipherable.”

Hot Doc: Szpyrka v. LinkedIn

Source: Thomson Reuters News & Insight – National Litigation

Okay, so these allegations, if true, would certainly make LinkedIn negligent.

But if that’s all there is to it, why are there eight separate causes of action in the complaint?

Because LinkedIn has long maintained, in both its user agreement and privacy policy, that it protected its users’ personal information “with industry standard protocols and technology.”

The complaint alleges – convincingly – that LinkedIn makes these assertions to alleviate user concerns over data privacy protection on the site in order to induce users into contracting with the site.

The existence of a contract with LinkedIn is apparent in the cases of those users who pay for a premium account, but what about those who have a free account?

According to the complaint, a contract exists in those cases as well – with the consideration offered to LinkedIn being the user’s personal data (since LinkedIn can enhance its networking offerings to other users with a larger database).

With the addition of that last little tidbit, LinkedIn is opened up for breach of contract and deceptive trade practices liability, which, because of statutory allowances for the recovery of attorneys’ fees in the case of the latter, can be a lot more expensive.

For the rest of us LinkedIn users, perhaps one of the more disturbing aspects of this entire incident is the fact that LinkedIn didn’t even know that its systems were hacked and that confidential user information was stolen.

It was only after third-party observers identified the password list as originating from LinkedIn that the professional networking site took notice.

Thus, there is a very real chance that, even if your password wasn’t on the published list, it was still stolen.

And though this lawsuit may serve to deter LinkedIn and other such online services from making similar mistakes, there will always be those websites that have lax security.

This doesn’t mean that you should just stop going online altogether.

Instead, simply take the advice that online security experts have been giving for years:

Don’t use the reuse the same password on multiple sites.