Yahoo sued over stolen usernames and passwords

Yahoo sued over stolen usernames and passwords

Summary: According to reports, Yahoo Inc. is being sued for negligence over hundreds of thousands of user names and passwords were stolen from one of its websites.

SHARE:
TOPICS: Security
2

According to Bloomberg, the Internet giant Yahoo is being sued for negligence after it disclosed that approximately 450,000 usernames and passwords were stolen from one of its websites.

yahoo sued negligence data password breach

Recently taken over by new CEO Marissa Meyer, the web portal operator is being taken to court by a user of its services. A complaint was filed at the end of last month in federal court in San Jose, California, which stated that the user's login information was posted online -- naturally, without his consent.

The information apparently appeared online after a hacker broke into one of the company's databases on July 11.

The Yahoo user, Jeff Allan, has stated in his complaint that Yahoo is culpable as it failed to adequately protect his information. He was alerted to the situation after receiving a fraud alert from his eBay account, which used the same security information. Due to this, Allan is seeking compensation for himself and other users.

The breach was admitted by the company on July 12, where plain text login credentials were pilfered by a hacking group -- later reported as D33Ds Company who took responsibility for the attack.

The Yahoo service in question was identified as Yahoo Voice -- also known as Associated Content, which was acquired by Yahoo in 2010. The hackers penetrated Yahoo's database using a union-based SQL injection, which basically tricks a poorly-secured website into releasing information. After the data dump was created, it rapidly found itself being distributed via BitTorrent and various file lockers across the web. 

In a subsequent blog post, the hacker group said:

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.

There have been many security holes exploited in Web servers belonging to Yahoo that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

The security flaw was patched the day after the announcement was made. Yahoo later confirmed that a number of accounts were compromised, but said only 5 percent were valid login credentials.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Painful But Necessary...

    Not a fan of trial lawyers... but some companies (and people) just won't do the right thing unless they are punished. There is no excuse for a company like Yahoo to store sensitive client information unencrypted! So yeah, Yahoo needs a hard kick to its backside (and wallet).
    ReadandShare
  • Having Said the Above...

    The plaintiff, Jeff Allan, also needs to take some personal responsibility -- such as stopping the idiocy of using the same password on multiple sites -- such as both Yahoo and Ebay -- per the above article.
    ReadandShare