Professional social networking service LinkedIn won the dismissal of a lawsuit seeking damages on behalf of premium users who had their log-in passwords exposed as a result of a security breach of the company's servers last year.
The data breach came to light at the beginning of June 2012, after hackers posted 6.5 million password hashes corresponding to LinkedIn accounts on an underground forum. More than 60% of those password hashes were later cracked by hackers.
The first complaint against LinkedIn was filed on Jun. 15, 2012, in the U.S. District Court for the Northern District of California by a Illinois resident and paid LinkedIn account owner named Katie Szpyrka.
The complaint alleged that LinkedIn violated its own User Agreement and Privacy Policy by failing to utilize industry standard protocols and technology to protect its customers' personally identifiable information, including email addresses, passwords and log-in credentials.
An amended complaint was filed on Nov. 26, 2012 on behalf of Szpyrka and another premium LinkedIn user from Virginia named Khalilah Wright, as class representatives for all LinkedIn users who were affected by the breach. The lawsuit sought "injunctive and other equitable relief," as well as restitution and damages for the plaintiffs and members of the class.
The complaint alleged that LinkedIn failed to adequately protect user data because it stored passwords using a weak cryptographic hash function without additional protection, despite its own Privacy Policy stating that "personal information you provide will be secured in accordance with industry standard protocols and technology."
"The problem with this practice is two-fold," the complaint said. "First, SHA-1 is an outdated hashing function, first published by the National Security Agency in 1995. Secondly, storing users' passwords in hashed format without first 'salting' the password runs afoul of conventional data protection methods, and poses significant risks to the integrity of users' sensitive data."
Password hashing is a form of one-way encryption. A password hash is an unique cryptographic representation of a plaintext password, but unlike ciphertext generated with a two-way encryption function, hashes are not meant to be decrypted. When users log in and input their password, the password is hashed on the fly and the resulting hash is matched against the one already stored in the database for that user.
Older hash functions like SHA-1 are fast and efficient, but are also vulnerable to brute force attacks. Because of this, it is common practice to append a unique and random string to each password before hashing it. This is known as 'salting' and makes password hash cracking much more difficult.
The complaint maintained that if Szpyrka and Wright had known that LinkedIn used substandard encryption they wouldn't have paid for premium LinkedIn accounts which cost between $19.95 and $99.95 per month depending on subscription type.
