A security breach that opened more than 6 million passwords to online viewing and spawned a putative class action will cost LinkedIn Corp. $1.25 million to settle.
The preliminary agreement was reached August 15 in In Re: LinkedIn User Privacy Litigation, a consolidated action through which plaintiffs alleged the professional networking site misrepresented the strength of its security protections.
The suit stems from a 2012 security breach that let hackers post 6.5 million passwords online. Three days after the hack was discovered, LinkedIn said in a statement it had switched its password encryption method to a more advanced one.
In fact, the complaint alleged, the company’s security at the time of the breach was substantially below the industry standard. LinkedIn denies any wrongdoing or liability.
According to the proposed agreement, the $1.25 million settlement fund will be used to pay about $400,000 in attorneys’ fees and expenses, along with no more than $180,000 in settlement administration costs. Much of the rest will be available, at $50 per claim, for those with premium LinkedIn subscriptions at the time of the hack, the settlement documents show.
LinkedIn also agreed to employ stronger security protections for passwords for five years, and the company said it would use salting and hashing—cryptographic algorithms and random strings—to make passwords far more difficult to crack.
Plaintiffs’ counsel include attorneys from Edelson PC; Kaplan Fox & Kilsheimer LLP; Parisi & Havens LLP; and Siprut PC. Cooley LLP represents LinkedIn.
Lisa Hoffman contributes to law.com.