Yahoo is being sued by one of its users, who has claimed the US Internet company was guilty of negligence when 450,000 passwords of the members of the Yahoo Voices blogging community were posted online.

Jeff Allan from New Hampshire has turned to a federal court in San Jose, California, after his eBay account, which used the same password as his Voices account, was compromised.

The dangers of plain text

On 11 July, the hacker group D33DS stole an unencrypted file containing login credentials from Yahoo servers and published them on its website. Besides Yahoo email address details, the list also included addresses for Gmail, Hotmail, AOL and other services.

Following the hack, the company was widely criticised for ignoring security basics by storing the login credentials unencrypted. Yahoo later claimed that the leaked file was old, and only around five percent of the information it contained was still valid.

The hackers called their attack a “wake up call” to expose lax security at the biggest US web portal. According to D33DS, the information was extracted trough a simple SQL injection technique. The hackers did not post the subdomain and vulnerable parameters “to avoid further damage.”

By 13 July, Yahoo said it had fixed the vulnerability, deployed additional security measures for affected users, enhanced its underlying security controls and started to notify affected users.

That wasn’t enough for Allan, who, according to Bloomberg, was first alerted to the hack when eBay contacted him about suspicious activity on his account, which used the same login credentials as those exposed by the D33DS hackers.

He decided to sue the company for failing to adequately safeguard his personal information, and is seeking an order requiring Yahoo to compensate him and other users.

The attack was especially worrying for certain users since Voices, a website that features articles, videos and slideshows on topics from home improvement to business advice, pays authors for their content, meaning financial information could have been put in jeopardy.

In June, a class action lawsuit was launched against a victim of a similar hack, LinkedIn, after over six million of the social network’s user passwords were stolen and posted online. In contrast with Yahoo, LinkedIn actually hashed its passwords (thanks to Liam for pointing this out), but did not “salt” the files to make them harder to decrypt.

Can you look after your personal data online? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

View Comments

  • Guys - you are a tech site, so you should know the difference between "encrypted" and "hashed." LinkedIn *hashed* its passwords.

    • Hi Liam,

      We see what you mean and we've changed! Encryption is of course a two-way function (with keys), whereas hashing is one-way (no key). The similarity lies in taking the plain text and morphing it into something else using an algorithm. Both a are cryptographic functions. Just to clear things up for anyone looking here!

      Best

      Tom Brewster
      Deputy editor

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

1 day ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

1 day ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

1 day ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

2 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

2 days ago