LinkedIn to pay US $1.25m to settle password suit

News by Doug Drinkwater

Business social network LinkedIn has agreed to pay US$ 1.25 million (£810,000) to settle a class-action suit from 2012, which alleged that the company failed to adequately protect the passwords and information of its premium subscriber customers.

The case dates back to June 2012 when the company reported Russian hackers had breached its network and stolen more than six million passwords, which works out at around five percent of its user base. An unnamed user subsequently launched legal action claiming LinkedIn violated its own user agreement and privacy policy.

This specifically related to the company's failure to salt passwords before storing them (this, with hashing, makes it more difficult to uncover stored data); while the action also notes that an SQL injection attack was used against the LinkedIn website.

The settlement covers individuals and entities in the US who paid for premium subscriptions between March 15, 2006 and June 7, 2012.

Under the terms of the settlement, which were laid out by Judge Edward J Davilla of the US District Court for the Northern District  of California, claimants are eligible to claim against the settlement fund, although the actual amount given will depend on the number of claims submitted. Furthermore, the settlement fund will first pay out fees for the claimant's lawyers. Any left-over money will be donated to three non-profit organisations; the Center for Democracy & Technology, the World Privacy Forum and the Carnegie Mellon CyLab Usable Privacy and Security Laboratory.

LinkedIn said in a statement that it agreed to the settlement in order to “avoid the distraction and expense of ongoing litigation." LinkedIn previously paid out around £750,000 on another claim regarding the same 2012 breach.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews