Yahoo Sued By User Following Breach of 450,000 Passwords

Internet search conglomerate Yahoo is being sued by one of its users for negligence after the usernames and passwords of approximately 450,000 of its users were leaked by a hacker online last month.

According to a complaint (.PDF) filed earlier this week in a federal court in San Jose, Calif., the plaintiff, Jeff Allan of New Hampshire is calling out Yahoo for failing to “deploy even the most rudimentary of protections for certain users’ personal information.”

In an injunction, Allan is looking for Yahoo to compensate “resulting account fraud” and the additional steps he and other affected users have had to take to prevent their accounts from being accessed further. Allan noticed his account had been compromised after he received a notification from eBay–where he used the same log-in credentials–that his account there had been accessed without his permission.

A hacking group called D33DS took credit for the attack on the site via a SQL injection on July 11 and soon after posted a slew of user logins and plaintext passwords, many which were as simple as “password,” online.

The information wound up belonging to users of Yahoo Voices, a site Yahoo acquired from Associated Content in 2010 that allows freelance writers to share their own personal content. The company acknowledged it patched the vulnerability later that week and that affected users would have to answer a series of questions to authenticate their accounts upon logging in.

The class-action complaint goes on to allege that Yahoo should have kept its users’ credentials encrypted using standard salting and hashing methods and been more prepared against the type of SQL injection used in the attack.