SAN JOSE, CALIFORNIA (BNO NEWS) -- A man whose e-mail address and password were posted online after hackers accessed Yahoo's server last month has sued the internet giant, claiming the company failed to adequately safeguard his and others' personal information, according to court documents.
Jarrod Allan, of New Hampshire, said he is one of approximately 453,000 users whose account information was posted online after hackers from a group calling themselves D33Ds infiltrated a Yahoo! database on July 11. Allan filed the class action complaint for negligence in San Jose, California on behalf of everyone similarly situated.
"Plaintiff Allan brings this class action lawsuit against Yahoo for failing to adequately safeguard his and others' personal information," the complaint says. "Mr. Allan seeks an order requiring Yahoo to remedy the harm caused by its negligent security, which may include compensating Plaintiff and class members for resulting account fraud and for all reasonably necessary measures Plaintiff and class members have had to take in order to identify and safeguard the accounts put at risk by Yahoo's negligent security."
According to the complaint, the credentials stolen from the Yahoo! server were originally from Associated Content, a website that allowed freelance authors to contribute text, images, and videos until they were acquired by Yahoo! in 2010. Existing Associated Content accounts were taken over by Yahoo!, which then saved this information unencrypted on its database.
Experts said the hackers used a technique known as an SQL injection attack, which works by injecting malicious commands into the stream of commands between a website application and the database feeding it. But this is a well known technique, and Allan's lawsuit alleges that Yahoo's servers should not have been vulnerable to this.
"The SQL injection technique used against Yahoo has been known for over a decade and had already been used for massive data thefts against Heartland Payment Systems and others," the complaint says. "As far back as 2003, the Federal Trade Commission considered SQL injection attacks to be well-known and foreseeable events that can and should be taken into account through routine security measures."
Yahoo! also failed to encrypt the data using standard salting and hashing techniques, which would have made it extremely difficult for hackers to read the information when it was stolen. "Yahoo failed to secure its data server containing Plaintiff's and class members' information from SQL injection attacks, encrypt the critical login credentials contained in the database, and monitor its network activity to identify suspicious amounts of out-bound data," the complaint says.
In his own case, Allan said he received e-mails from two online services on July 14, informing him of the Yahoo! breach and that both services had identified him as a user with breached account information. He also received an e-mail from eBay on July 20, informing him that someone had accessed his account without permission.
"Concerned about unauthorized access to his online accounts, Mr. Allan purchased an Experian credit monitoring service for $14.95/month," the complaint says. It adds that Allan's Associated Content account included personal information such as his full name, e-mail address, PayPal e-mail address, date of birth, citizenship, physical address, telephone number, biography, interests, education and social security number.
In the class action complaint, Allan says he is seeking compensation in an amount to be determined at trial. He is also seeking to recover litigation expenses and attorneys' fees for himself and any other class members.
(Copyright 2012 by BNO News B.V. All rights reserved. Info: email@example.com.) http://wire.bnonews.com/#g58822