After the leak of 6 millions of non salted passwords of LinkedIn, a new episode in the story. Katie SZPYRKA, residing in Illinois, premium member of LinkedIn, sues LinkedIn for
… failing to properly safeguard its users’ digitally stored personally identifiable information (“PII”), including e-mail addresses, passwords, and login credential;
She claims that LinkedIn fails to properly encrypt its users’ PII
… LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed format. The problem with this practice is two-fold. First, SHA1 is an outdated hashing function, first published by the National Security Agency in 1995. Secondly, storing users’ passwords in hashed format without first “salting” the passwords runs afoul of conventional data protection methods, and poses significant risks to the integrity users’ sensitive data.
The second statement is true. I would be more cautious with the first one. There are known attacks on SHA1. it is why there is a new challenge to find a new replacement to SHA1. Nevertheless, they are not easy and simple. Using SHA1 was not the problem. Using salted SHA1 for storing passwords is still a good practice for several years.
She also complains that the attack was using an SQL injection and that the site was not properly protected against this type of attacks, despite the existence of a NIST checklist to prevent them :Weary:
An interesting statement
… free account users buy products and services by paying LinkedIn in the form of contact information (first name, last name, and an email address)
That’s true. I would even add by her/his network information that allows to better profile the user.
The outcome of this action will be interesting. How many web sites would be under the same threat? The main problem is to decide whether it is pure negligence or a vulnerability as there will always be in web sites (or nay products). Zero vulnerability will never exist. If each breach would end up in a class action, this would most probably the end of Internet.
The filing is available here.