Yahoo user sues over password leak
Lawsuit claims Yahoo was negligent in not encrypting data and not securing database against an SQL injection attack.
A New Hampshire man filed suit against Yahoo this week alleging that lax security measures allowed hackers to get into a Yahoo database and steal passwords from 450,000 accounts.
In his lawsuit seeking class-action status -- filed in federal court in San Jose, Calif., on Tuesday (PDF) -- Jeff Allan is asking the court to order Yahoo to compensate him and others for "resulting account fraud" and measures people had to take to protect against identity theft.
Not only was Allan's Yahoo password stolen but someone also had accessed his eBay account without his permission after the Yahoo breach because he had used the same log-in credentials there, according to the suit. He also said he bought a subscription to Experian credit monitoring services for $14.95 a month.
Allan's account on the Yahoo Contributor Network site contained personal information including his name; e-mail address; PayPal e-mail address; date of birth; residency/citizenship; physical address and telephone number; and even his Social Security number, among other information, he said.
A group of hackers known as "D33Ds Co." publicly posted more than 450,000 usernames and passwords obtained from Yahoo's Contributor Network site last month. They said they had used an SQL injection to trick a database into revealing data and did the hack to expose lax security at Yahoo. The data was stored in plain text instead of cryptographically masked in a process called "hashing." Yahoo was negligent in not taking measures to protect against such a common attack and in not using encryption to protect the data, the suit alleges.
"Yahoo failed to secure the data server containing that information from SQL injection attacks, encrypt the personal information contained in the database, and monitor its networks to identify suspicious amounts of out-bound data," the suit claims. "In failing to employ these basic and well-known Internet measures, Yahoo departed from the reasonable standard of care and violated its duty to protect Plaintiff's and class members' personal information."
We've contacted Yahoo for comment and will update this post if and when we hear back.