Skip to main content

LinkedIn Sued $5M Over Password Leak

Reuters reports that an Illinois woman has filed a $5 million class-action lawsuit against LinkedIn in U.S. District Court for the Northern District of California. The suit alleges that LinkedIn violated promises to its users by not having better means to secure private data, thus allowing a hacker to gather more than six million passwords and post them online.

The lawsuit, filed by Chicago-based law firm Edelson McGuire on behalf of LinkedIn user Katie Szpyrka, said the professional social network had "deceived customers" by having a security policy "in clear contradiction of accepted industry standards for database security." Naturally LinkedIn disagrees, stating that the lawsuit was without merit and driven "by lawyers looking to take advantage of the situation."

"No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured," LinkedIn spokeswoman Erin O'Harra said on Wednesday.

Weeks ago, LinkedIn said that it was working with the FBI to determine who stole 6.4 million hashed passwords from its database and posted them in a list on a hacker site. The company said it was still in the early stages of the investigation and did not know if any accounts had been taken over by hackers as a result of the security violations. Most of the passwords discovered on the list remained hashed and hard to decode, but a small subset of the hashed passwords were decoded and published.

"To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event," reported LinkedIn's Vicente Silveira at the time.

Legal experts claim that it will be difficult to win the LinkedIn lawsuit because the plaintiffs -- as there may be additional lawsuits filed in the next few weeks -- will need to prove they were actually harmed by the hack. It will be even more difficult to prove if it turns out that the LinkedIn breach was limited to customer passwords and not corresponding email addresses.

"In consumer security class actions, the demonstration of harm is very challenging," said Ira Rothken, a San Francisco-based lawyer at the Rothken Law Firm. The firm handles similar cases for other plaintiffs.

Both eHarmony and Last.fm also reported that their sites were hacked and passwords stolen right after the LinkedIn passwords went live. So far there have been no lawsuits filed against the two sites.