Security

And! it! begins! Yahoo! sued! over! ultra-hack! of! 500m! accounts!

Class-action lawsuit in California expected to be first of many in the US


Just two days after Yahoo! admitted hackers had raided its database of at least 500 million accounts, the Purple Palace is being dragged into court.

Two Yahoo! users in San Diego, California, filed on Friday a class-action claim [PDF] against the troubled web biz: Yahoo! is accused of failing to take due care of sensitive information under the Unfair Competition Act and the state's Consumer Legal Remedies Act, plus negligence for its poor security, and breaking the Federal Stored Communications Act.

The stolen Yahoo! database includes people's names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers about their personal lives.

“There's a sense of violation,” the plaintiffs' lawyer David Casey, of Casey Gerry Schenk Francavilla Blatt & Penfield, told The Register last night.

“We think they breached their duty of trust to the clients and violated privacy laws. I anticipate hundreds of cases will be filed and then those will be consolidated into one federal class action suit.”

Casey said that at least one of his clients had already seen dodgy activity on their credit card which had been attributed to the attack and another was concerned that their financial and tax data had been viewed by outsiders. The plaintiffs are seeking redress and damages from Yahoo!

The court filing also states that Yahoo!, which is based in Sunnyvale, California, had “unreasonably delayed” telling its customers about the mega-hack. It points out that the incident, which Yahoo! blamed on state-sponsored hackers, occurred back in 2014, and the webmail giant should have detected it sooner and let people know a long time ago.

“There’s a lot of anger over the delay,” Casey said. “The delay is pretty inexplicable.”

While this is the first sueball lobbed at Yahoo!, it is unlikely to be the last. If even a fraction of the 500 million Yahoo! users targeted by hackers take action against the company, and win even a miserly award, the potential costs to the biz could count in the high multi-millions.

Under the circumstances the due diligence team at Verizon, which in July confirmed it wanted to buy Yahoo! for $4.8bn, are going to be recalculating their figures as to the net worth of the Purple Palace. Having such large liabilities hanging over Yahoo! can only depress its value.

Verizon told The Register that it was informed about the hack just a few days in advance of this week's staggering confession – which raises questions in itself. In late July and early August, news articles were circulating warning that stolen Yahoo! customer information was being sold on the dark web. One wonders why Verizon didn’t pick up on this earlier.

One possible theory is that while investigating the 200 million or so account records being touted on underground souks, Yahoo! discovered a separate larger break-in by government-backed hackers – and has only just confirmed that.

In the meantime, legal action will continue to mount in America, the land of the lawsuit. Yahoo! should also expect folks overseas to start lawyering up, too. It’s going to be an expensive Fall for the organization. ®

Send us news
42 Comments

Insider steals 79,000 email addresses at work to promote own business

After saying they're very sorry, they escape with a slap on the wrist

Hackers mod a Sony PlayStation Portal to run PSP games

Modders claim GTA: Liberty City Stories and Tekken 6 are running 'very smoothly'

ALPHV gang claims it's the attacker that broke into Prudential Financial, LoanDepot

Ransomware group continues to exploit US regulatory requirements to its advantage

Southern Water cyberattack expected to hit hundreds of thousands of customers

Brit utility also curiously disappears from Black Basta leak site

Cloudflare defeats another patent troll with crowd-sourced prior-art army

The bounty payouts may be high, but Project Jengo doesn't miss

FCC gets tough: Telcos must now tell you when your personal info is stolen

Yep, cell carriers didn't have to do this before

Jet engine dealer to major airlines discloses 'unauthorized activity'

Pulls part of system offline as Black Basta docs suggest the worst

Mon Dieu! Nearly half the French population have data nabbed in massive breach

PLUS: Juniper's support portal leaks customer info; Canada moves to ban Flipper Zero; Critical vulns

Verizon says 63K employees' info fell into the wrong hands – an insider this time

Telco says it's a private matter, data 'not shared externally'

Wikileaks source and former CIA worker Joshua Schulte sentenced to 40 years jail

'Vault 7' leak detailed cyber-ops including forged digital certs

Blackbaud settles with FTC after that IT breach exposed millions of people's info

Cloud software slinger admits no guilt, promises better basic security hygiene

Biden will veto attempts to kill off SEC's security breach reporting rules

Senate, House can try but won't make it past the Prez, says White House