Yahoo sued over stolen usernames and passwords
According to Bloomberg, the Internet giant Yahoo is being sued for negligence after it disclosed that approximately 450,000 usernames and passwords were stolen from one of its websites.
Recently taken over by new CEO Marissa Meyer, the web portal operator is being taken to court by a user of its services. A complaint was filed at the end of last month in federal court in San Jose, California, which stated that the user's login information was posted online -- naturally, without his consent.
The information apparently appeared online after a hacker broke into one of the company's databases on July 11.
The Yahoo user, Jeff Allan, has stated in his complaint that Yahoo is culpable as it failed to adequately protect his information. He was alerted to the situation after receiving a fraud alert from his eBay account, which used the same security information. Due to this, Allan is seeking compensation for himself and other users.
The breach was admitted by the company on July 12, where plain text login credentials were pilfered by a hacking group -- later reported as D33Ds Company who took responsibility for the attack.
The Yahoo service in question was identified as Yahoo Voice -- also known as Associated Content, which was acquired by Yahoo in 2010. The hackers penetrated Yahoo's database using a union-based SQL injection, which basically tricks a poorly-secured website into releasing information. After the data dump was created, it rapidly found itself being distributed via BitTorrent and various file lockers across the web.
In a subsequent blog post, the hacker group said:
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.
There have been many security holes exploited in Web servers belonging to Yahoo that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."
The security flaw was patched the day after the announcement was made. Yahoo later confirmed that a number of accounts were compromised, but said only 5 percent were valid login credentials.