Yahoo is being sued by one of its users, who has claimed the US Internet company was guilty of negligence when 450,000 passwords of the members of the Yahoo Voices blogging community were posted online.
Jeff Allan from New Hampshire has turned to a federal court in San Jose, California, after his eBay account, which used the same password as his Voices account, was compromised.
On 11 July, the hacker group D33DS stole an unencrypted file containing login credentials from Yahoo servers and published them on its website. Besides Yahoo email address details, the list also included addresses for Gmail, Hotmail, AOL and other services.
The hackers called their attack a “wake up call” to expose lax security at the biggest US web portal. According to D33DS, the information was extracted trough a simple SQL injection technique. The hackers did not post the subdomain and vulnerable parameters “to avoid further damage.”
By 13 July, Yahoo said it had fixed the vulnerability, deployed additional security measures for affected users, enhanced its underlying security controls and started to notify affected users.
That wasn’t enough for Allan, who, according to Bloomberg, was first alerted to the hack when eBay contacted him about suspicious activity on his account, which used the same login credentials as those exposed by the D33DS hackers.
He decided to sue the company for failing to adequately safeguard his personal information, and is seeking an order requiring Yahoo to compensate him and other users.
The attack was especially worrying for certain users since Voices, a website that features articles, videos and slideshows on topics from home improvement to business advice, pays authors for their content, meaning financial information could have been put in jeopardy.
In June, a class action lawsuit was launched against a victim of a similar hack, LinkedIn, after over six million of the social network’s user passwords were stolen and posted online. In contrast with Yahoo, LinkedIn actually hashed its passwords (thanks to Liam for pointing this out), but did not “salt” the files to make them harder to decrypt.
Can you look after your personal data online? Take our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Guys - you are a tech site, so you should know the difference between "encrypted" and "hashed." LinkedIn *hashed* its passwords.
Good catch Liam!
Hi Liam,
We see what you mean and we've changed! Encryption is of course a two-way function (with keys), whereas hashing is one-way (no key). The similarity lies in taking the plain text and morphing it into something else using an algorithm. Both a are cryptographic functions. Just to clear things up for anyone looking here!
Best
Tom Brewster
Deputy editor
http://xkcd.com/936/