Collaboration SuitesLegalRegulationSecuritySoftwareWorkspace

Yahoo Sued For Password Breach

Vladru © Shutterstock 2012
0 0 4 Comments

One of 450,000 angry customers decides to take action

Yahoo is being sued by one of its users, who has claimed the US Internet company was guilty of negligence when 450,000 passwords of the members of the Yahoo Voices blogging community were posted online.

Jeff Allan from New Hampshire has turned to a federal court in San Jose, California, after his eBay account, which used the same password as his Voices account, was compromised.

The dangers of plain text

On 11 July, the hacker group D33DS stole an unencrypted file containing login credentials from Yahoo servers and published them on its website. Besides Yahoo email address details, the list also included addresses for Gmail, Hotmail, AOL and other services.

Following the hack, the company was widely criticised for ignoring security basics by storing the login credentials unencrypted. Yahoo later claimed that the leaked file was old, and only around five percent of the information it contained was still valid.

The hackers called their attack a “wake up call” to expose lax security at the biggest US web portal. According to D33DS, the information was extracted trough a simple SQL injection technique. The hackers did not post the subdomain and vulnerable parameters “to avoid further damage.”

By 13 July, Yahoo said it had fixed the vulnerability, deployed additional security measures for affected users, enhanced its underlying security controls and started to notify affected users.

That wasn’t enough for Allan, who, according to Bloomberg, was first alerted to the hack when eBay contacted him about suspicious activity on his account, which used the same login credentials as those exposed by the D33DS hackers.

He decided to sue the company for failing to adequately safeguard his personal information, and is seeking an order requiring Yahoo to compensate him and other users.

The attack was especially worrying for certain users since Voices, a website that features articles, videos and slideshows on topics from home improvement to business advice, pays authors for their content, meaning financial information could have been put in jeopardy.

In June, a class action lawsuit was launched against a victim of a similar hack, LinkedIn, after over six million of the social network’s user passwords were stolen and posted online. In contrast with Yahoo, LinkedIn actually hashed its passwords (thanks to Liam for pointing this out), but did not “salt” the files to make them harder to decrypt.

Can you look after your personal data online? Take our quiz!

  1. Guys – you are a tech site, so you should know the difference between “encrypted” and “hashed.” LinkedIn *hashed* its passwords.

    1. Hi Liam,

      We see what you mean and we’ve changed! Encryption is of course a two-way function (with keys), whereas hashing is one-way (no key). The similarity lies in taking the plain text and morphing it into something else using an algorithm. Both a are cryptographic functions. Just to clear things up for anyone looking here!

      Best

      Tom Brewster
      Deputy editor