Jeff Allan, a New Hampshire resident, is suing Yahoo for negligence on behalf of the 450,000 users who had their information exposed online. The suit argued that Yahoo failed to deploy “even the most rudimentary of protections for certain users’ personal information.”
In early July, the hacker group D33DS Company posted a document with more than 450,000 user email addresses and plain text passwords from Yahoo Voices’ users on its website. The hacker group said it used a union-based SQL injection technique to steal the emails and passwords and posted them as a “wake-up call”, not as a “threat”.
The lawsuit argued that Yahoo should have kept its users’ information in an encrypted form using standard salting and hashing techniques and should have secured its server against SQL injection attack.
“Yahoo failed to secure the data server containing that information from SQL injection attacks, encrypt the personal information contained in the database, and monitor its networks to identify suspicious amounts of out-bound data. In failing to employ these basic and well-known internet security measures, Yahoo departed from the reasonable standard of care and violated its duty to protect Plaintiff’s and class members’ personal information”, the suit alleged.
The suit is seeking injunctive and other equitable relief, damages, legal expenses, and interest on behalf of the 450,000 users who had their information exposed. No monetary figure was provided.