Judge Rules That Yahoo Data Breach Victims Have Right to Sue Company

Friday September 1, 2017 6:19 AM PDT by Mitchel Broussard
Several months after Yahoo warned users of a third data breach that occurred between 2015 and 2016, U.S. District Judge Lucy Koh in San Jose, California has said that breach victims now have the right to sue the company, allowing them to pursue breach of contract and unfair competition claims (via Reuters). Previously, Yahoo argued that these individuals lacked grounds to sue the company, but Koh has now rejected that claim.


This leaves "well over 1 billion users" open to sue the company, all of whom were affected by one of three total data breaches that began to gain notoriety in September 2016, when the company disclosed that "at least" 500 million Yahoo accounts were compromised in a late 2014 cyber attack. A second attack was disclosed in December 2016, regarding a user information leak that happened in August 2013, and then the third and presumably last warning about a previous attack came in February 2017.

This outlined a period of data breaches that began in 2013 and lasted until 2016, with Yahoo waiting more than three years to reveal information about any of the attacks. Breached info related to names, email addresses, telephone numbers, birth dates, hashed passwords, and both encrypted and unencrypted security questions and answers.

Because each affected user now faces the risk of identity theft, Koh ruled in a 93-page decision that plaintiffs can now amend previously dismissed complaints to gain new legal ground against Yahoo.
“All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information,” the judge wrote. Koh said some plaintiffs also alleged they had spent money to thwart future identity theft or that fraudsters had misused their data. Others, meanwhile, could have changed passwords or canceled their accounts to stem losses had Yahoo not delayed disclosing the breaches, the judge said.

“We believe it to be a significant victory for consumers, and will address the deficiencies the court pointed out,” John Yanchunis, a lawyer for the plaintiffs who chairs an executive committee overseeing the case, said in an interview. “It’s the biggest data breach in the history of the world.”
Yahoo's disclosure of the security breaches came in the midst of its acquisition by Verizon, and ended up affecting the carrier's offer. After an initial offer of $4.83 billion, Verizon ended up purchasing Yahoo's core business assets for $4.48 billion in order to limit potential liability. The deal closed this past summer and at the same time, Verizon announced plans to lay off about 2,100 Yahoo employees.

Tag: Yahoo
30 comments


Top Rated Comments

(View all)
Avatar
MacNut
26 months ago
Verizon still went through with the deal to buy Yahoo. Are their coffers now in play in a huge class action suit?
Rating: 2 Votes
Avatar
Hodar1
26 months ago
Spanking Yahoo, is a good first start; but how about raising the penalty for Identify Theft beyond that of a mild scolding? How about making Identity Theft a severe Felony, meaning hard jail time, so that it's actually discouraged? Seems that those that are caught, go right back out and do it again, and again, and again.
Rating: 2 Votes
Avatar
Amacfa
26 months ago
You can thank Marissa Meyer for this mess.
Rating: 1 Votes
Avatar
Crow KC
25 months ago

Wouldn't have mattered in this case. No passwords were cracked or guessed to gain access. The attackers found a vulnerability in their cookie-based auth.

Also, why exactly are you against Facebook login? If anything, that's more secure than trusting a random website's homemade auth system. And unless you grant them access to a bunch of permissions (FB is very explicit about it), they don't get much info on you. If you want to be extra safe, you can use a fake Facebook account just for authentication like I used to do.


Because it's a fallacy to believe that Facebook, Yahoo, or any other large service provider is any safer than any "random website's homemade auth system". It's proven time and again. Using the same credentials for more than one thing is a foolhardy move, no matter how cryptic the password and how well they seem to be stored. When I had access to millions of E-mail/password combinations, the website was the 19th largest in the world, and a competitor to Facebook which was at the time more popular in America, but less popular worldwide. This was the same time that Facebook Platform came into existence which enabled the login with Facebook ability for third-party sites. We at the time were integrating OpenSocial for the same reasons...

My point is to use a different password for everything, and just assume that anything can be compromised. I also use random passwords as answers for password recovery questions, as otherwise that sort of information is too easy for somebody to find out, and two-factor authentication everywhere it is available.
Rating: 1 Votes
Avatar
960design
25 months ago

Database administrators take note: Take extraordinary precautions to protect all the personal info entrusted to you, or you shall be held accountable in a court of law for any breaches of confidential customer data.

Sickens me when I consult other companies data management and see that their databases are plain text, except for the password. Truly feel sick to my stomach.

At a minimum, encrypt everything except the UUID or suffer the consequences.
You will have a data breach.
[doublepost=1505758692][/doublepost]

Someone might be 'recovering' your account right now... :) And, if you answered the questions honestly, it might be your bank account. Nice, huh? (The point is that 'security questions' pretty much undo any security they might have put in place. They are essentially a low-tech back-door.)

Completely agree. Argued wholeheartedly against it for a company and yet they went ahead with security questions.
1) What is your home town?
Let me guess, how about here in metropolis.
2) What high school did you graduate from?
Ummm, only two or three nearby, pretty much anyone can guess these and bypass your 'security'.
Rating: 1 Votes
Avatar
fairuz
25 months ago

Someone might be 'recovering' your account right now... :) And, if you answered the questions honestly, it might be your bank account. Nice, huh? (The point is that 'security questions' pretty much undo any security they might have put in place. They are essentially a low-tech back-door.)

Yes, it's annoying and totally counterintuitive that I have to put "to48ry9iofjdsf" as my dog's name.


It's just not an issue with a password manager, in fact it keeps things more secure and is so much easier. That said, yes, you have to pick a good one like PasswordWallet by Selznick or maybe 1Password (non-cloud version).

I get what you're saying about non-tech-savvy... but if they don't get tech-savvy enough to use a password manager and some basic common sense, they probably shouldn't be using tech in the first place. If you think they are in trouble now... wait a few years.

The thing is, this is most people in the world, so it's the other way around: If they can't make security usable by the average user, they shouldn't be making tech in the first place. Also, even for experts, it's a waste of time to have to research how to use front-end services.
Rating: 1 Votes
Avatar
SteveW928
25 months ago

The thing is, this is most people in the world, so it's the other way around: If they can't make security usable by the average user, they shouldn't be making tech in the first place. Also, even for experts, it's a waste of time to have to research how to use front-end services.


I sort of agree from a UX standpoint, though I'm not sure what the alternative is, and it can only be made so simple, at some point. (Maybe an education campaign on password managers, and strong recommendation of a few good ones... that's what I've been trying to do. Plus, there are other benefits, as I keep other useful info in that that it's handy to have with me.)

But, a lot of these insecure systems are designed as such as lazy ways to 'optimize' the workload for the companies. Getting your account unlocked, if you've lost your password, etc. should take a bit of work to resolve, not a simple 'security question.'

Sickens me when I consult other companies data management and see that their databases are plain text, except for the password. Truly feel sick to my stomach.


And, then there's Equifax who was even using 'admin' and 'admin' defaults on some of their systems. :eek:
Rating: 1 Votes
Avatar
macs4nw
26 months ago
Database administrators take note: Take extraordinary precautions to protect all the personal info entrusted to you, or you shall be held accountable in a court of law for any breaches of confidential customer data.
Rating: 1 Votes
Avatar
SteveW928
26 months ago
Oh, I hand't heard the Verizon deal went through. Verizon likely has deeper pockets... maybe a class-action $10B lawsuit or something would be good for an industry lesson. I can't believe Verizon was stupid enough to buy that mess.
Rating: 1 Votes
Avatar
Mascots
26 months ago

Database administrators take note: Take extraordinary precautions to protect all the personal info entrusted to you, or you shall be held accountable in a court of law for any breaches of confidential customer data.


Well, I'd put more focus on the fact that it happened multiple times and they failed to reveal any information because they knew it would kill them.
Rating: 1 Votes
[ Read All Comments ]