LinkedIn won the dismissal of a lawsuit filed by users of its premium service whose log-in passwords were compromised in a security breach of the professional social networking service’s servers in 2012.
On Tuesday, the United States District Court of the Northern District of California granted the company’s motion to dismiss the complaint filed by users alleging that LinkedIn violated its own user agreement and privacy policy by failing to use standard protocols and technology to safeguard the personally identifiable information of customers. It its decision, the court said LinkedIn’s user agreement and privacy policy is the same for free accounts as it is for premium accounts.
“Any alleged promises LinkedIn made to paying premium account holders regarding security protocols was also made to non-paying members,” the judge said. “Thus, when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capability to facilitate enhanced usage of LinkedIn services.”
The complaints did not sufficiently demonstrate that LinkedIn’s premium membership included a promise of “a particular (or greater) level of security” that was not available to users who signed on for free membership, said the judge.
Some 6.5 million password hashes attached to a LinkedIn accounts were exposed on an underground forum in a data breach that was discovered in June 2012. Hackers were later reported to have cracked about 60 per cent of the exposed password hashes.
Illinois-resident Katie Szpyrka, a paid LinkedIn account owner filed a complaint against the company later that month. An amended complaint was filed in November that year on behalf of Szpyrka and Khalilah Wright a premium account user from Virginia, as class representatives for all LinkedIn users affected by the breach.
LinkedIn failed to protect user data because it stored passwords using a weak cryptographic hash function, according to the complainants.
The complaint said LinkedIn used SHA-1, an outdated hashing function first published by the National Security Agency in 1995. The company also stored users’ passwords in hashed format without “salting” the passwords as is done in conventional data protection methods.
Hashing is a form of one-way encryption wherein a unique cryptographic representation of a plaintext password is generated. When a user logs in with their password, the password is hashed and the hash is matched against the pre-stored hash corresponding to the user.
Older hash functions such as SHA-1 are fast but vulnerable to brute force attacks. They are commonly enhanced with “salting” which is basically adding a unique and random string to each password before hashing it.
Read the whole story here