Woman files lawsuit against LinkedIn over password breaches

Considering the propensity of modern culture to sue over everything and anything, perhaps we ought to be surprised it has taken this long. Still, it has happened: LinkedIn is being sued over the data breach it experienced recently, which Neowin reported upon. Not much should surprise you here, since there have been plenty of incidents where a company's security has been shown to be weak, and then someone has sued them over it afterwards.

The lawsuit was filed by Katie Szpyrka from Illinois in a federal court in the city of San Jose, California. The lawsuit was filed on June 15th, and seeks class-action status. The date the lawsuit was filed upon came less than two weeks after the LinkedIn breach, which left many people concerned about their LinkedIn account security. Szpyrka's law firm, based in Chicago, claimed LinkedIn had "deceived customers" by having a security policy in "clear contradiction of accepted industry standards for database security".

Legal experts have said that a large settlement for plaintiffs will be difficult to achieve, since each plaintiff will have to show they were personally harmed by a breach. The leak of LinkedIn passwords originally appeared on Russian forums, with ZDNet being one of the first sites to pick up on the major leak.

The passwords posted on the Russian message board were supposedly hashed, though stock prices fell after the announcement that passwords had been leaked, indicating a loss of faith in the company. In total, over six million passwords had been lifted from LinkedIn's servers and shared around select Russian groups. Hashed passwords might have provided some protection though evidence suggested the criminals had managed to decode at least some of the passwords.

LinkedIn promised to add an additional security layer to their database, 'salting' it as well as hashing it. While hashed passwords can be a layer of protection the fact they are only one layer does weaken them. Determined criminals can still sometimes break the hashing, and therefore can expose the password and make use of it.

There is no real surprise to see that the lawsuit has been filed. After all, it is a common occurrence after an incident such as this. What is much less frequent, however, is when these lawsuits succeed on a major scale. The lawsuit sought $5,000,000 in damages, which seems to be about par for the course when it comes to post-hacking lawsuits.

Source: Reuters

Report a problem with article
Previous Story

Portal 2 is being turned into a teaching tool

Next Story

Google's Chrome head on Windows 8 and Microsoft Surface

14 Comments

Commenting is disabled on this article.

I agree with the minimum bar of security being a govt demanded law but the minimum bar has to set quite high in order for it to be an effective deterrent to would be hackers otherwise it wont be worth a damn ..... even if you choose to use 3rd party data centers offshore all data must meet a minimum standard of encryption before being sent for storage

if you don't meet the minimum then your not allowed to store sensitive data like CC numbers and personal info and passwords it's as easy as that but oh wait we're talking about the US where the govt is owned by big corp so it'll probably never happen

So, why should she get financial gain????? You could probably change your password before they ever figured out anything.

briangw said,
So, why should she get financial gain????? You could probably change your password before they ever figured out anything.

Until the hackers announce it on pastebin or whatever, chances are most of these sites either don't know they've even been hacked, or tend to sweep it under the carpet. If its either of them, and the reason behind it was due to back security on the sites behalf, how are you supposed to change your password in time?

For all we know, hackers could have access to their servers for months before anything was found out, but that point they could have gained a lot of information that can be used to attack people personally, or higher up at a corperate level.

Imagin for a moment that a hacker how has full details of neowin's network admin, based on his job title and information used on LinkedIn it wouldn't be hard to track him down (if he's even using LinkedIn of course, but lets say he does).
So monitoring who he talks to and see's he's going on a out of town trip, the hacker then logs into the neowin's account, send off a few messages to other people he knows has control over the site, makes some excuse such as needing to reset his password as his laptop just broke/trojan, daughter spilt milk etc (we know his daughters name and age from his linked facebook account).
Social hacking is very often more powerful then any other hacking. People have implied trust, and with authenticate based on known past emails without checking, even more so if the social hack is performed on someone who is normally friendly.

For financial gain, or financial compensation ? Or simply sicking it to LinkedIn for being yet another high profile site who don't have any concerns for the welfare of its users (or its own)personal data.

I'm so supporting this case.
Companies need to finally feel a need to use better customer password measurements.
If the risk of faith and money doesn't do it for them, they should at least face consequences for acting reckless.

GS:ios

I know the US hates regulation but wouldn't it be nice to have some sort of minimum bar to meet for password security enforceable. Or at least some standard that companies can opt into meeting to get accreditation/badge so you can avoid sites that don't go the extra mile.

chAos972 said,
I know the US hates regulation but wouldn't it be nice to have some sort of minimum bar to meet for password security enforceable. Or at least some standard that companies can opt into meeting to get accreditation/badge so you can avoid sites that don't go the extra mile.

there is something called PCI-DSS https://www.pcisecuritystandards.org/ and read the other stuff they have on that site....

a lot of companies don't know about it and they sure dont pick webhosts that have it...I'm partnered with one of the most secure hosting companies, inetU that is very secure. they only host business websites and dont host targets for DDoS attacks like game servers, political sites, etc...

buncha companies go with a cheap amazon ec2 instance or shared hosting and think just having that ssl cert is enough and it's not... and in shared hosting you have no idea who your neighbors are and they might have scrips that can get into other domains on that server.

chAos972 said,
I know the US hates regulation but wouldn't it be nice to have some sort of minimum bar to meet for password security enforceable. Or at least some standard that companies can opt into meeting to get accreditation/badge so you can avoid sites that don't go the extra mile.

The UK and EU already have laws that supposed to provide protection like that. The UK has the data protection act, and the EU has the data protection directive. Both are there to protect your personal data about you so that no one other then yourself and who you've authrised access to can view, or edit it. They do go as far ensuring data is kept secure.

The problem is, many sites, including the UK's national heath service, are using 3rd party hosts who store the data over seas where the Law of the land does not apply to them. As such your own laws, be it from US or UK, or any EU country do not apply in many cases.

The problem with minimum bar standards, is a lot of companies wont see it as a standard to actually be secure, they'll just scape the bottom of the barrel and pick the easiest and maybe not the most secure they could be, just to pass the as a minimum and get the accreditation/badge - and that'll just lull people into a false sense of security.

The companies need to want to and strife to provide better security for itself and its customers.

Yes it's terrible that all this information was leaked, but suing the company isn't going to solve anything. It's just going to fuel the fire for the hackers knowing that their dirty work will result in a class-action every time.

Astra.Xtreme said,
Yes it's terrible that all this information was leaked, but suing the company isn't going to solve anything. It's just going to fuel the fire for the hackers knowing that their dirty work will result in a class-action every time.

they should have kept more secure..... this is like sony all over again...

Astra.Xtreme said,
Yes it's terrible that all this information was leaked, but suing the company isn't going to solve anything. It's just going to fuel the fire for the hackers knowing that their dirty work will result in a class-action every time.

It might not solve the problem caused from the company being hacked, ie people have their personal information compromised, nothing is going undo that.
However, if companies think they will be sued if they don't provide its user base with proper security, then they might double check their standards before just shruging their shoulders and saying thats good enough.

Far too many companies are treating basic security as if its a joke, as if they're above the hackers. It'll never happen to me syndrome or just they think they've got too big for their boots? who knows, what ever their security problems be it what i just said or lack of skilled security experts, they need a blood good shake and realise security matters, it matter more then having a flash looking website, it matters more then saving $1000' at the end of the year for employing someone, if need be, to audit your basic security practices. There are plenty of white hacker groups who do it professionally.

There are some hacks that you can't prevent, most 0day hacks is just a race of time for who gets there first. Even more so, a lot of the 'real' hackers are the ones who first find the exploits anyway so they might not even be known yet.
While you can prevent futher damage once the hacks do get in, it seems a lot of companies don't even bother.

"we've got the dell sonicfirewall. we'll be ok, hackers can't get in, derp derp"

remixedcat said,

they should have kept more secure..... this is like sony all over again...


oh please..

you can't just make things more secure with a click of a button.
you do know the time and knowledge of security sites and all this.

.air said,

oh please..

you can't just make things more secure with a click of a button.
you do know the time and knowledge of security sites and all this.

no they could have there was obvious flaws like plain text credit card info instead of encr. in the obvious places. they prolly werent very pci-cert. lots of things.

sagum said,
There are some hacks that you can't prevent, most 0day hacks is just a race of time for who gets there first. Even more so, a lot of the 'real' hackers are the ones who first find the exploits anyway so they might not even be known yet.
While you can prevent futher damage once the hacks do get in, it seems a lot of companies don't even bother.

"we've got the dell sonicfirewall. we'll be ok, hackers can't get in, derp derp"

Isn't that the point of having network security personnel? White-hat hackers? To test your network, try to hack it and make sure it's secure?

I would say it's 100% the companies fault if they failed to take the proper measures in order to secure their database. There's never a 100% guarantee that you'll be successful since one hacker might think of something another didn't but at least you can go to court with the evidence that you took every measure possible to prevent it. CYA when you have an externally accessible network. It's not that expensive, the network security employees might cost you but salting and encrypting cost very little.