LinkedIn hits back at US data breach lawsuit claims

LinkedIn has dismissed a lawsuit filed by a disgruntled user in the wake of its recent data breach, accusing the firm of failing to keep information about its members safe. Earlier this month it emerged that the passwords of nearly 6.5 million of the social networking site's users were posted in a Russian web forum.If LinkedIn used appropriate encryption methods, the stolen information would be useless, as it would be indecipherable.On Monday, one of the site's members, Katie Szpyrka, filed a $5million class action complaint against the site with the United States District Court in the Northern District of California.

It claimed LinkedIn had failed to safeguard users' "digitally stored personally identifiable information(PII)" and violated its own user agreement and privacy policy by not using "industry standard protocols and technology".

"LinkedIn promises its users that "[a]ll information that [they] provide [to Linkedin] will be protected with industry standards protocols and technology," the document states.

"In direct contradiction to this promise, LinkedIn failed to comply with basic industry standards by maintaining millions of users' PII in its servers' databases in a weak encryption format and without implementing other crucial security measures."

The "weak encryption format" the lawsuit refers to is LinkedIn's decision to store user passwords in a hashed unsalted SHA1 format.

The lawsuit also claims the site was breached using an SQL injection attack, which is described as "a common hacking method" that should be relatively easy to evade.

"Had LinkedIn used proper encryption methods, and a hacker were able to penetrate LinkedIn's network, he would be limited in his ability to inflict harm," it added

"If LinkedIn used appropriate encryption methods yet failed to secure its database the stolen PII would be useless, as it would be indecipherable."

In a statement to IT Pro, a LinkedIn representative said Szpyrka's case was "without merit" and driven by lawyers looking to capitalise on the site's recent misfortunes.

"No member account has been breached as a result of the [password leak] incident, and we have no reason to believe that any LinkedIn member has been injured," the statement said.

"Therefore, it appears these threats are driven by lawyers looking to take advantage of the situation and we will defend the company vigorously against suits trying to leverage third-party criminal behaviour."