The lawsuit charged LinkedIn with failing to meet its contractual obligations to protect users’ sensitive personally identifiable information (PII) with basic industry standard encryption methods.
The leak was of 6,458,020 unsalted SHA-1 password hashes that were posted on a document drop site.
A salt is a random string added to a password before it’s cryptographically hashed.
The salt isn’t a secret cryptographic key – indeed, it is typically stored along with the final password hash – but instead serves to ensure that if two users pick the same password, they don’t end up with the same hash.
Salting also ensures that hash-cracking lists can’t be pre-computed from a dictionary: you’d have to pre-compute a hash list for each possible salt combined with each possible dictionary word, an infeasible prospect.
The problem was twofold, said the suit.
First, SHA-1 was an outdated format, first published by the National Security Agency in 1995.
On top of that, storing users’ passwords in hashed format without first salting them “runs afoul of conventional data protection methods, and poses significant risks to the integrity [of] users’ sensitive data,” the suit stated.
Salting is just the bare minimum level of protection LinkedIn should have used, the suit claimed.
→ The problem with using a single iteration of SHA-1 is not so much that it is an old and outdated hashing algorithm, but that modern computer hardware can compute hashes from the SHA family, including SHA-1, extremely quickly. These days, reliable salting-and-hashing arrangements typically use use thousands or tens of thousands of repeated hashes. That means the algorithm is not annoyingly slow when validating a single password at login time, but is frustratingly slow during password cracking attempts.
By failing to use such practices, LinkedIn “drastically exacerbated the consequences of a hacker bypassing its outer layer of security,” the suit stated, and thereby violated its Privacy Policy’s promise to comply with industry-standard protocols and technology for data security.
Soon after the June 2012 hack, LinkedIn said that passwords would be stored in salted hashed format.
The suit was dismissed in March 2013, with the finding that the claimants hadn’t proved they suffered from the loss of PII, and that any damage was, at that point, hypothetical.
Well, that wasn’t the last of it. Rather, the case was amended, and then it was kicked over to private mediation in April 2014.
Now, what started as a $5 million lawsuit has been settled.
If you’re an individual or entity in the US that paid a fee for a premium LinkedIn subscription between 15 March 2006 and 7 June 2012, and if you can make a convincing argument for having been influenced by what LinkedIn said about its security in its User Agreement or Privacy Policy, then it’s time to start planning how to spend your settlement funds.
That will not take long.
If all affected premium LinkedIn users in the US – some 800,000 users – get around to filing a claim, the payout should be enough to buy approximately two large gumballs.
That’s partly because the original $5 million shrank in the mediation wash, down to $1.25 million.
Take out administration costs and lawyers’ fees, and those 800,000 people will be looking at a payout of about $1 apiece.
Assuredly, not all 800,000 American users will be able to make a convincing case that they were influenced by LinkedIn’s security claims.
The pool of claimants will be thinned further by the attrition of those who don’t bother to file a claim.
The best possible scenario: each claimant that qualifies can anticipate a maximum payout of $50.
That’s if, mind you, the court approves the settlement at all.
Image of gavel courtesy of Shutterstock