Yahoo user sues over password leak
Lawsuit claims Yahoo was negligent in not encrypting data and not securing database against an SQL injection attack.
A New Hampshire man filed suit against Yahoo this week alleging that lax security measures allowed hackers to get into a Yahoo database and steal passwords from 450,000 accounts.
In his lawsuit seeking class-action status -- filed in federal court in San Jose, Calif., on Tuesday (PDF) -- Jeff Allan is asking the court to order Yahoo to compensate him and others for "resulting account fraud" and measures people had to take to protect against identity theft.
Not only was Allan's Yahoo password stolen but someone also had accessed his eBay account without his permission after the Yahoo breach because he had used the same log-in credentials there, according to the suit. He also said he bought a subscription to Experian credit monitoring services for $14.95 a month.
Allan's account on the Yahoo Contributor Network site contained personal information including his name; e-mail address; PayPal e-mail address; date of birth; residency/citizenship; physical address and telephone number; and even his Social Security number, among other information, he said.
A group of hackers known as "D33Ds Co." publicly posted more than 450,000 usernames and passwords obtained from Yahoo's Contributor Network site last month. They said they had used an SQL injection to trick a database into revealing data and did the hack to expose lax security at Yahoo. The data was stored in plain text instead of cryptographically masked in a process called "hashing." Yahoo was negligent in not taking measures to protect against such a common attack and in not using encryption to protect the data, the suit alleges.
"The SQL injection technique used against Yahoo has been known for over a decade and had already been used for massive data thefts against Heartland Payment Systems and others," the suit says. "As far back as 2003, the Federal Trade Commission considered SQL injection attacks to be well-known and foreseeable events that can and should be taken into account through routine security measures.""Yahoo failed to secure the data server containing that information from SQL injection attacks, encrypt the personal information contained in the database, and monitor its networks to identify suspicious amounts of out-bound data," the suit claims. "In failing to employ these basic and well-known Internet measures, Yahoo departed from the reasonable standard of care and violated its duty to protect Plaintiff's and class members' personal information."
We've contacted Yahoo for comment and will update this post if and when we hear back.