SAN JOSE (CN) – Yahoo!’s lax security gave Eastern European hackers access to 450,000 users’ unencrypted accounts, a class action claims in Federal Court.
“Yahoo! Inc. is a leading Intemet company that provides Internet based services to millions of users on a monthly basis and yet failed to deploy even the most rudimentary of protections for certain users’ personal information,” lead plaintiff Jeff Allan says in the complaint. “Consequently, a group of hackers, in the name of publicly humiliating Yahoo for its lax security measures, infiltrated a Yahoo database and publicly posted login credentials from over 450,000 accounts.
“Plaintiff Jeff Allan is one of the approximately 450,000 users whose information was posted online for the world to see and use. Within days of the breach, Mr. Allan received an alert of account fraud on his eBay account, which used the same login credentials as disclosed in the Yahoo breach. Mr. Allan does not know what other information the hackers and others have gathered about him.
“Plaintiff Allan brings this class action lawsuit against Yahoo for failing to adequately safeguard his and others’ personal information. Mr. Allan seeks an order requiring Yahoo to remedy the harm caused by its negligent security, which may include compensating plaintiff and class members for resulting account fraud and for all reasonably necessary measures plaintiff and class members have had to take in order to identify and safeguard the accounts put at risk by Yahoo’s negligent security.”
Yahoo bought Associated Content for $100 million in 2010, according to the complaint. Associated Content “published text, image, and video media contributed by freelance authors registered with the company. To contribute material before the Yahoo purchase, users had to establish an account with Associated Content, using an e-mail address as the login name and creating a password. Some or all of these login credentials were obtained by Yahoo when it acquired Associated Content.
“In November 2010, Yahoo launched the Yahoo! Contributor Network, calling it ‘an evolution of the Associated Content platform’ that would “bring contributions from more than 450,000 writers, photographers, and videographers to the Internet’s largest media destinations, including Yahoo! News, Yahoo! Finance, Yahoo! Sports, and even the Yahoo! Homepage, among many others.’ In December 2011, Yahoo also announced Yahoo! Voices, a new digital library for content published by the Yahoo! Contributor Network, including content acquired with Associated Content. Registered users of the Yahoo! Contributor Network can contribute content and, in some cases, earn money if Yahoo publishes their content.
“On July 11, 2012, a group of hackers reportedly based in Eastern Europe and known as ‘the D33Ds Company’ breached Yahoo’s security measures and extracted e-mail addresses and passwords that were stored unencrypted within a Yahoo database. D33Ds then posted these login credentials, which were associated with roughly 453,000 Associated Content users, online in a plaintext file, stating that they did so in order to provide a ‘wake-up call’ to Yahoo about its lack of proper security.
“The hackers used a technique known as a ‘SQL injection attack,’ which works by ‘injecting’ malicious commands into the stream of commands between a website application and the database software feeding it. If the database does not properly screen these inputs for signs of attack, the attackers can acquire information from the database that they would otherwise be barred from accessing. In essence, a SQL injection attack exploits the way in which a website communicates with back-end databases, allowing an attacker to issue commands (in the form of specially crafted SQL statements) to a database that contains information used by the website application, such as users’ login credentials.”
Allan claims that “reasonable information security measures” could have stopped the hackers: “Had Yahoo encrypted the data using standard salting and hashing techniques, the data stolen from Yahoo would have been prohibitively difficult to utilize, as each password would have to be cracked individually. For example, another Internet company (social Q&A website Formspring) whose data was recently stolen appears to have successfully protected its users’ personal information with such encryption.”
He claims Yahoo! uses encryption to protect other data, but did not do it to protect its users’ login information. And, Allan says, this exposed users’ accounts with other sites to hackers because people often use the same password and email combinations for multiple sites.
Allan claims the Yahoo!s negligence also cost class members “the cost of taking measures to identify and safeguard accounts put at risk by disclosure of the personal information stolen from Yahoo, including by purchasing credit monitoring services.”
He seeks an injunction, costs and damages for negligence.
He is represented by Eric Gibbs with Gerard Gibbs of San Francisco.