June 21, 2012
LinkedIn Gets Slapped With Possible Class Action
Michael Harper for redOrbit.com
Turns out you can´t have an immense security breach without some kind of consequences.
When millions of LinkedIn passwords were leaked earlier this month, one question appeared as a common refrain all over the Internet: “How did this happen?”
As the news unfolded, it was discovered that LinkedIn was using a less-than-secure method to encrypt their data, something called an unsalted SHA-1 format. Many experts have called this kind of encryption outdated, if not weak.
As you may expect, now there´s a lawsuit being filed against LinkedIn for their poor handling of user data and passwords, reported Couthouse News reporter Jonny Bonner.
LinkedIn confirmed the privacy breach on June 6th. All told, hackers were able to leak more than 6 million passwords in just a few days. Nearly 4% of their total users were affected by the leaks, and LinkedIn reset each of the affected accounts.
The suit goes on to say LinkedIn used a “weak encryption format” which "failed to comply with basic industry standards." Using this format, says the suit, "runs afoul of conventional data protection methods.”
"Had LinkedIn used proper encryption methods, and a hacker were able to penetrate LinkedIn's network, he would be limited in his ability to inflict harm."
LinkedIn has since defended themselves in a statement, saying, "no member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured."
“Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior."
What made the LinkedIn leaks so widespread and particularly frightening is how massive it had become. Not only were there more than 6 million passwords leaked, they were also cast all over the internet, free to anyone who knew how to find them.
There were even online tools – such as leakedin.org – which had been created to help users discover if their password had been leaked.
This fear was not assuaged when it was announced just how easy it was for hackers to crack these hashed passwords. According to Thomas H. Ptacek, a security researcher with Matasano Security, salting passwords–which extends the length of hidden text by adding a few extra fake letters or numbers–isn´t exactly an iron-clad solution.
Not only are these unsalted passwords a relatively shaky way to protect your data, but it´s also very outdated. Ptacek told Krebs on Security, “The basic mechanism by which SHA-1 passwords are cracked“¦hasn´t changed since the early 1990s.”
Simply salting the passwords wouldn´t have been much help either, according to Ptacek, as this method has been used–and subsequently hacked–since the 70s. LinkedIn could have done well to use a password hash instead of a cryptographic hash, said Ptacek. A major difference between the two is the time it takes for a website to run and interpret these passwords. Though using a password hash may mean a longer wait to login to our favorite websites, it also means cracking these passwords would be “murder” on hackers.
As for the suit, Szpyrka says she joined the professional-leaning social networking site in 2010 as a premium member, paying $25 a month to use the service. She did not specify, however, if her information was compromised in the leaks.