Yahoo is being sued by one of its users, who has claimed the US Internet company was guilty of negligence when 450,000 passwords of the members of the Yahoo Voices blogging community were posted online.
Jeff Allan from New Hampshire has turned to a federal court in San Jose, California, after his eBay account, which used the same password as his Voices account, was compromised.
On 11 July, the hacker group D33DS stole an unencrypted file containing login credentials from Yahoo servers and published them on its website. Besides Yahoo email address details, the list also included addresses for Gmail, Hotmail, AOL and other services.
The hackers called their attack a “wake up call” to expose lax security at the biggest US web portal. According to D33DS, the information was extracted trough a simple SQL injection technique. The hackers did not post the subdomain and vulnerable parameters “to avoid further damage.”
By 13 July, Yahoo said it had fixed the vulnerability, deployed additional security measures for affected users, enhanced its underlying security controls and started to notify affected users.
That wasn’t enough for Allan, who, according to Bloomberg, was first alerted to the hack when eBay contacted him about suspicious activity on his account, which used the same login credentials as those exposed by the D33DS hackers.
He decided to sue the company for failing to adequately safeguard his personal information, and is seeking an order requiring Yahoo to compensate him and other users.
The attack was especially worrying for certain users since Voices, a website that features articles, videos and slideshows on topics from home improvement to business advice, pays authors for their content, meaning financial information could have been put in jeopardy.
In June, a class action lawsuit was launched against a victim of a similar hack, LinkedIn, after over six million of the social network’s user passwords were stolen and posted online. In contrast with Yahoo, LinkedIn actually hashed its passwords (thanks to Liam for pointing this out), but did not “salt” the files to make them harder to decrypt.
Can you look after your personal data online? Take our quiz!
Elon Musk loses bid to avoid court order to force him to testify in SEC…
Explore how cutting-edge technologies are reshaping decision-making, driving innovation, and propelling businesses into the data-driven…
Anthem used by protesters in Hong Kong is blocked by YouTube, as critics lash out…
'Unexpected behaviour' of Waymo's self-driving vehicles triggers investigation by American safety regulators
Group of TikTok creators in the United States attempt to block recent law that will…
Hundreds of climate activists clashed with police outside Tesla gigafactory near Berlin, in protest over…
View Comments
Guys - you are a tech site, so you should know the difference between "encrypted" and "hashed." LinkedIn *hashed* its passwords.
Good catch Liam!
Hi Liam,
We see what you mean and we've changed! Encryption is of course a two-way function (with keys), whereas hashing is one-way (no key). The similarity lies in taking the plain text and morphing it into something else using an algorithm. Both a are cryptographic functions. Just to clear things up for anyone looking here!
Best
Tom Brewster
Deputy editor
http://xkcd.com/936/