LinkedIn to pay US $1.25m to settle password suit
Business social network LinkedIn has agreed to pay US$ 1.25 million (£810,000) to settle a class-action suit from 2012, which alleged that the company failed to adequately protect the passwords and information of its premium subscriber customers.
This specifically related to the company's failure to salt passwords before storing them (this, with hashing, makes it more difficult to uncover stored data); while the action also notes that an SQL injection attack was used against the LinkedIn website.
The settlement covers individuals and entities in the US who paid for premium subscriptions between March 15, 2006 and June 7, 2012.
Under the terms of the settlement, which were laid out by Judge Edward J Davilla of the US District Court for the Northern District of California, claimants are eligible to claim against the settlement fund, although the actual amount given will depend on the number of claims submitted. Furthermore, the settlement fund will first pay out fees for the claimant's lawyers. Any left-over money will be donated to three non-profit organisations; the Center for Democracy & Technology, the World Privacy Forum and the Carnegie Mellon CyLab Usable Privacy and Security Laboratory.
LinkedIn said in a statement that it agreed to the settlement in order to “avoid the distraction and expense of ongoing litigation." LinkedIn previously paid out around £750,000 on another claim regarding the same 2012 breach.