Yahoo is the latest internet company to have legal action filed against them. On Tuesday of last week, a New Hampshire man, Jeff Allan, filed a lawsuit in a San Jose, California federal court asking for class-action status. The suit alleges that Yahoo failed to provide adequate security measures in protecting their users against hackers who stole password from over 450,000 accounts.
Allan is seeking compensation for himself and others that join the lawsuit for “resulting account fraud and measures people had to take to protect against identity theft.”
According to the lawsuit, Allan’s Yahoo account information contained his name and social security number; e-mail address; PayPal e-mail address; date of birth; residency/citizenship; physical address and telephone number.
Allan’s Yahoo account wasn’t the only thing someone was able to access. Allan used the same account information for his eBay account. Someone was able to use this account without permission. Because of the breach, Allan also purchased credit monitoring protection from Experian.
Last month, hackers known as “D33Ds Co.” posted over 450,000 account names and passwords publicly. The group said they gained access by, “using an SQL injection to trick the database into revealing data and did the hack to expose lax security at Yahoo. The data was stored in plain text instead of cryptographically masked in a process called hashing.” The suit alleges that because of not encrypting the information Yahoo was negligent in not taking measures to protect users against such a common attack.
“The SQL injection technique used against Yahoo has been known for over a decade and had already been used for massive data thefts against Heartland Payment Systems and others,” the suit says. “As far back as 2003, the Federal Trade Commission considered SQL injection attacks to be well-known and foreseeable events that can and should be taken into account through routine security measures.”
The suit also claims, “Yahoo failed to secure the data server containing that information from SQL injection attacks, encrypt the personal information contained in the database, and monitor its networks to identify suspicious amounts of out-bound data,” the suit claims. “In failing to employ these basic and well-known Internet measures, Yahoo departed from the reasonable standard of care and violated its duty to protect Plaintiff’s and class members’ personal information.”