Katie Szpyrka, a LinkedIn user since 2010, claimed that the company “failed to properly safeguard its users’ digitally stored personally identifiable information including email addresses, passwords, and login credentials.”
Earlier this month, it was reported that a hacker bragged in a Russian forum that he acquired millions of LinkedIn passwords. Though LinkedIn did not verify the breach at first, they urged users to change their passwords as a precautionary measure.
A representative from LinkedIn stated that there is no basis for any lawsuits against the company since the breach did not affect any member accounts nor did it result to any damages to the users.
“No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured,” said Erin O’Harra, a public relations associate with LinkedIn. “Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior.”
Szpyrka, who pays $26.95 per month for a premium LinkedIn account, stated in her filing that LinkedIn used a weak encryption format that left open millions of passwords ready for the picking. She also noted that the company failed to “salt” – add dimensions to their hash to make it difficult to uncover protected data, their hash which resulted in their weakened security.
The suit also pointed out that the hacker/s used SQL injection attacks, which used Web sites to gain access to databases, meaning LinkedIn did not comply with the National Institute of Standards and Technology checklists as common guidance for avoiding SQL injection attacks.
Another thing mentioned in the lawsuit was LinkedIn’s failure to publicize the incident, and it wasn’t until third parties reported the breach that they admitted to it.
The class action lawsuit is claiming $5 million in damages for the password breach.