Vladru © Shutterstock 2012

Yahoo Sued For Password Breach

One of 450,000 angry customers decides to take action

On by Max Smolaks 4

Yahoo is being sued by one of its users, who has claimed the US Internet company was guilty of negligence when 450,000 passwords of the members of the Yahoo Voices blogging community were posted online.

Jeff Allan from New Hampshire has turned to a federal court in San Jose, California, after his eBay account, which used the same password as his Voices account, was compromised.

The dangers of plain text

On 11 July, the hacker group D33DS stole an unencrypted file containing login credentials from Yahoo servers and published them on its website. Besides Yahoo email address details, the list also included addresses for Gmail, Hotmail, AOL and other services.

Following the hack, the company was widely criticised for ignoring security basics by storing the login credentials unencrypted. Yahoo later claimed that the leaked file was old, and only around five percent of the information it contained was still valid.

The hackers called their attack a “wake up call” to expose lax security at the biggest US web portal. According to D33DS, the information was extracted trough a simple SQL injection technique. The hackers did not post the subdomain and vulnerable parameters “to avoid further damage.”

By 13 July, Yahoo said it had fixed the vulnerability, deployed additional security measures for affected users, enhanced its underlying security controls and started to notify affected users.

That wasn’t enough for Allan, who, according to Bloomberg, was first alerted to the hack when eBay contacted him about suspicious activity on his account, which used the same login credentials as those exposed by the D33DS hackers.

He decided to sue the company for failing to adequately safeguard his personal information, and is seeking an order requiring Yahoo to compensate him and other users.

The attack was especially worrying for certain users since Voices, a website that features articles, videos and slideshows on topics from home improvement to business advice, pays authors for their content, meaning financial information could have been put in jeopardy.

In June, a class action lawsuit was launched against a victim of a similar hack, LinkedIn, after over six million of the social network’s user passwords were stolen and posted online. In contrast with Yahoo, LinkedIn actually hashed its passwords (thanks to Liam for pointing this out), but did not “salt” the files to make them harder to decrypt.

Can you look after your personal data online? Take our quiz!

Max Smolaks
Author: Max Smolaks
Reporter
Max Smolaks Max Smolaks Max Smolaks

White Papers

Techweekeurope for mobile devices
Android-App Google Currents App for iOS

Last comment




4 replies to Yahoo Sued For Password Breach

  • On August 3, 2012 at 6:22 am by Liam

    Guys – you are a tech site, so you should know the difference between “encrypted” and “hashed.” LinkedIn *hashed* its passwords.

    • On August 3, 2012 at 9:46 am by my1login

      Good catch Liam!

    • On August 3, 2012 at 10:28 am by Tom Brewster

      Hi Liam,

      We see what you mean and we’ve changed! Encryption is of course a two-way function (with keys), whereas hashing is one-way (no key). The similarity lies in taking the plain text and morphing it into something else using an algorithm. Both a are cryptographic functions. Just to clear things up for anyone looking here!

      Best

      Tom Brewster
      Deputy editor

  • On August 27, 2012 at 10:31 am by Ace

Leave a Reply

  • Required fields are marked *,
    Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>