Man Sues Internet Giant Yahoo! Over Security Breach

[News_Editor]

Man sues internet giant Yahoo! over security breach < br />

2012-08-04 06:31:59 GMT+7 (ICT)

SAN JOSE, CALIFORNIA (BNO NEWS) -- A man whose e-mail address and password were posted online after hackers accessed Yahoo's server last month has sued the internet giant, claiming the company failed to adequately safeguard his and others' personal information, according to court documents.

Jarrod Allan, of New Hampshire, said he is one of approximately 453,000 users whose account information was posted online after hackers from a group calling themselves D33Ds infiltrated a Yahoo! database on July 11. Allan filed the class action complaint for negligence in San Jose, California on behalf of everyone similarly situated.

"Plaintiff Allan brings this class action lawsuit against Yahoo for failing to adequately safeguard his and others' personal information," the complaint says. "Mr. Allan seeks an order requiring Yahoo to remedy the harm caused by its negligent security, which may include compensating Plaintiff and class members for resulting account fraud and for all reasonably necessary measures Plaintiff and class members have had to take in order to identify and safeguard the accounts put at risk by Yahoo's negligent security."

According to the complaint, the credentials stolen from the Yahoo! server were originally from Associated Content, a website that allowed freelance authors to contribute text, images, and videos until they were acquired by Yahoo! in 2010. Existing Associated Content accounts were taken over by Yahoo!, which then saved this information unencrypted on its database.

Experts said the hackers used a technique known as an SQL injection attack, which works by injecting malicious commands into the stream of commands between a website application and the database feeding it. But this is a well known technique, and Allan's lawsuit alleges that Yahoo's servers should not have been vulnerable to this.

"The SQL injection technique used against Yahoo has been known for over a decade and had already been used for massive data thefts against Heartland Payment Systems and others," the complaint says. "As far back as 2003, the Federal Trade Commission considered SQL injection attacks to be well-known and foreseeable events that can and should be taken into account through routine security measures."

Yahoo! also failed to encrypt the data using standard salting and hashing techniques, which would have made it extremely difficult for hackers to read the information when it was stolen. "Yahoo failed to secure its data server containing Plaintiff's and class members' information from SQL injection attacks, encrypt the critical login credentials contained in the database, and monitor its network activity to identify suspicious amounts of out-bound data," the complaint says.

In his own case, Allan said he received e-mails from two online services on July 14, informing him of the Yahoo! breach and that both services had identified him as a user with breached account information. He also received an e-mail from eBay on July 20, informing him that someone had accessed his account without permission.

"Concerned about unauthorized access to his online accounts, Mr. Allan purchased an Experian credit monitoring service for $14.95/month," the complaint says. It adds that Allan's Associated Content account included personal information such as his full name, e-mail address, PayPal e-mail address, date of birth, citizenship, physical address, telephone number, biography, interests, education and social security number.

In the class action complaint, Allan says he is seeking compensation in an amount to be determined at trial. He is also seeking to recover litigation expenses and attorneys' fees for himself and any other class members.

-- © BNO News All rights reserved 2012-08-04

[endure]

Remind us again - how much did this donkey pay Yahoo to provide an email service for him?

[chrisinth]

Remind us again - how much did this donkey pay Yahoo to provide an email service for him?

Remind us again - how much did this donkey pay Yahoo to provide an email service for him?

Endure, totally agree. It depends what Yahoo have in their fine print; there is obviously a loophole or point of contention there for this guy to make a claim.

For those who don't know of Associated Content (now known as Yahoo! Voices) was aquired by Yahoo for about 100 million USD; the third link below shows rough details. It is indeed a free service which pays for submitted content. These peons that can get away with suits like this need locking up themselves (IMHO) and awarded all costs. Here are a couple of links explaining what the service was and now is, come to your own conclusions:

http://en.wikipedia.org/wiki/Associated_Content

http://contributor.yahoo.com/help/

http://techcrunch.com/2010/05/18/yahoo-associated-content/

Disclaimer; personally I think the free email (and associated) services always will be targets and there should be a bigger 'at risk' notification from these companies to the public. I know of people who have all their emails online with these free services, not even downloaded to their computers for backup/convenience purposes, and guaranteed they will be the first ones to cry wolf. Main reason they don't do this is because they don't know how! I pay as little as $25 a year for my personal email address from my domain; never had a sniff from the hackers.

[endure]

I have my own domain but use Gmail as my server/spam filter. I also use Mailstore to keep a local copy of all my email.

http://www.mailstore.com/en/mailstore-home.aspx