LinkedIn has been issued with a class-action lawsuit after millions of users’ passwords were stolen and published online.
Specifically, it claims that LinkedIn stored passwords in "unsalted SHA1 hashed format".
"The problem with this practice is two-fold," it says. "First, SHA1 is an outdated hashing function, first published by the National Security Agency in 1995. Secondly, storing users’ passwords in hashed format without first ‘salting’ the password runs foul of conventional data protection methods, and poses significant risks to the integrity [of] users’ sensitive data".
It notes that the site has since adopted an "extra layer of protection" in its password security management, including salted passwords, but says "these actions were too little too late".
Over 6 million passwords stolen from the social network were published online last month. "Because LinkedIn used insufficient methods to secure user data, hackers were able to easily decipher a large number of passwords", the suit claims.
It refers to "preliminary reports" that indicate that hackers stole the passwords using SQL injection. "It true, LinkedIn’s failure to adequately protect its website … would demonstrate the company employed a troubling lack of security measures."
Interestingly, the suit claims that the affected LinkedIn users have lost both money and property "in the form of their personal data". It adds that a number of users had paid for a premium service on the grounds that LinkedIn would safeguard their data, and have therefore lost out "economically".
Affected users have also been exposed "to a heightened risk of identity theft, … distress related to their unsecured data, as well as distress related to the security of their own personal accounts being exposed and accessed without authorisation".
The suit calls for LinkedIn to pay members of class-action "an amount to be determined at trial". However, it assumes the total figure to be over $5 million.
LinkedIn has yet to comment on the lawsuit.
Since the LinkedIn breach emerged, passwords from online dating service eHarmony and music website LastFM have also been posted online.