LinkedIn password hack sueball kicked to the kerb by judge A class-action lawsuit launched against LinkedIn after hackers leaked the website's user passwords has been dismissed before reaching trial. Northern California US District Judge Edward Davila ruled that two premium-account holders had been unable to demonstrate they suffered any actual harm as a result of the 2012 hack, which …
People seem to mis-understand what level of security SSL encryption offers. You can make a web form that collects user data and have this sitting behind SSL. Let's say one of the fields on the form is your password. The SSL cert will help protect that as it's posted from the form to the server. However what happens to it once it reaches the server (e.g. in terms of storing it to a database) is a completely different matter. Just because the site uses SSL does not mean anything in relation to the encryption used when storing/processing that data beyond the initial post.
Their privacy policy said "all information that you provide will be protected with industry-standard protocols and technology". To not use a salt is arguably poor practice, but I even reckon it's not considered industry standard to do this by some devs anyway, so it's not clear cut.
As for "admitted that they had not read LinkedIn's privacy policy prior to the hack"...well that just tells you they were trying to make money from this retrospectively.
are easily broken en-masse with a rainbow attack, unless you used a really strong password that the creator of the rainbow table didn't include, like "j67-*^%fg".
This is a pretty epic fail, although I accept the judge's assertion that no harm can be proven in these specific cases (I'm assuming the users changed their passwords promptly so the stolen hashes can no longer be used).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
