Judge Rules That Yahoo Data Breach Victims Have Right to Sue Company

[MacRumors]

Several months after Yahoo warned users of a third data breach that occurred between 2015 and 2016, U.S. District Judge Lucy Koh in San Jose, California has said that breach victims now have the right to sue the company, allowing them to pursue breach of contract and unfair competition claims (via Reuters). Previously, Yahoo argued that these individuals lacked grounds to sue the company, but Koh has now rejected that claim.

This leaves "well over 1 billion users" open to sue the company, all of whom were affected by one of three total data breaches that began to gain notoriety in September 2016, when the company disclosed that "at least" 500 million Yahoo accounts were compromised in a late 2014 cyber attack. A second attack was disclosed in December 2016, regarding a user information leak that happened in August 2013, and then the third and presumably last warning about a previous attack came in February 2017.

This outlined a period of data breaches that began in 2013 and lasted until 2016, with Yahoo waiting more than three years to reveal information about any of the attacks. Breached info related to names, email addresses, telephone numbers, birth dates, hashed passwords, and both encrypted and unencrypted security questions and answers.

Because each affected user now faces the risk of identity theft, Koh ruled in a 93-page decision that plaintiffs can now amend previously dismissed complaints to gain new legal ground against Yahoo.

"All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information," the judge wrote. Koh said some plaintiffs also alleged they had spent money to thwart future identity theft or that fraudsters had misused their data. Others, meanwhile, could have changed passwords or canceled their accounts to stem losses had Yahoo not delayed disclosing the breaches, the judge said.

"We believe it to be a significant victory for consumers, and will address the deficiencies the court pointed out," John Yanchunis, a lawyer for the plaintiffs who chairs an executive committee overseeing the case, said in an interview. "It's the biggest data breach in the history of the world."

Yahoo's disclosure of the security breaches came in the midst of its acquisition by Verizon, and ended up affecting the carrier's offer. After an initial offer of $4.83 billion, Verizon ended up purchasing Yahoo's core business assets for $4.48 billion in order to limit potential liability. The deal closed this past summer and at the same time, Verizon announced plans to lay off about 2,100 Yahoo employees.

Article Link: Judge Rules That Yahoo Data Breach Victims Have Right to Sue Company

 

[iosuser]

Yes another two years of credit monitoring please, or maybe couple of dollars out of a class action or maybe if we're really lucky we get both oh and in order to receive such benefits/compensation you'd have to divulge even more sensitive personal information.

 

[macs4nw]

Database administrators take note: Take extraordinary precautions to protect all the personal info entrusted to you, or you shall be held accountable in a court of law for any breaches of confidential customer data.

 

[coumerelli]

I think they'll be laying off a few more than 2,100 in the future.

 

[thisisnotmyname]

Yes another two years of credit monitoring please, or maybe couple of dollars out of a class action or maybe if we're really lucky we get both oh and in order to receive such benefits/compensation you'd have to divulge even more sensitive personal information.

You can't think of it in selfish terms of what you - the victim - will receive; think of the trial lawyers, they need to put food on their plate (and a place in the Hamptons).

 

[Analog Kid]

You can't think of it in selfish terms of what you - the victim - will receive; think of the trial lawyers, they need to put food on their plate (and a place in the Hamptons).

And think of the incentive this gives to companies to do it right in the future. In the end this is justice being served and the bigger story is what this will cost Yahoo?, not what the plaintiffs or lawyers gain.

 

[Mascots]

Database administrators take note: Take extraordinary precautions to protect all the personal info entrusted to you, or you shall be held accountable in a court of law for any breaches of confidential customer data.

Well, I'd put more focus on the fact that it happened multiple times and they failed to reveal any information because they knew it would kill them.

 

[iosuser]

You can't think of it in selfish terms of what you - the victim - will receive; think of the trial lawyers, they need to put food on their plate (and a place in the Hamptons).

Of course, my apologies for neglecting to take that into account. I will just settle for the $2, so that in addition to putting food on the table, hopefully they'll also be able to renew next year's country club membership.

 

[Chupa Chupa]

Yes another two years of credit monitoring please, or maybe couple of dollars out of a class action or maybe if we're really lucky we get both oh and in order to receive such benefits/compensation you'd have to divulge even more sensitive personal information.

If there is a class action you don't have to join it. You can pursue your own settlement. What would you rather have here -- the judge ruling victims don't have a right to sue Yahoo?

 

[Hodar1]

Spanking Yahoo, is a good first start; but how about raising the penalty for Identify Theft beyond that of a mild scolding? How about making Identity Theft a severe Felony, meaning hard jail time, so that it's actually discouraged? Seems that those that are caught, go right back out and do it again, and again, and again.

 

[A MacBook lover]

You can thank Marissa Meyer for this mess.

 

[Crow KC]

Ha, ha, ha. Verizon and Yahoo - all the bad eggs in one basket. People really need to start using a different password, and nonsensical answers to security questions. A password manager like 1Password makes this relatively easy and secure. I've been doing that for many years and have never had to worry about breaches like this because the scope is limited. Now two-factor authentication is available on about 1/4 of my accounts, so I use it everywhere I can as well - really hoping that becomes more widespread with time.

Stupid things like "Log in with Facebook" should be avoided at all costs.

I once worked as a database administrator at a major social media website that was at the time in the top 20 most visited websites in the world, with hundreds of millions of users. All their E-mail addresses, passwords, and other information, as well as their entire history on the site, whether "private" or not, was accessible to me. Nothing to prevent me from copying it down to a USB drive or anything else. I suppose I could have used that illegally to become immensely wealthy. Don't trust ANYONE to store your stuff securely. Even encrypted data is often using a weak or flawed method of encryption. Verizon is particularly invasive and horrible, but that's another subject.

 

[MacNut]

Verizon still went through with the deal to buy Yahoo. Are their coffers now in play in a huge class action suit?

 

[Crow KC]

Verizon still went through with the deal to buy Yahoo. Are their coffers now in play in a huge class action suit?

That's my question as well. The article states that they only purchased part of it to limit liability, but anything that hurts Verizon is good in my book.

 

[nwcs]

I suspect many of the those accounts were long abandoned, duplicates, etc. Certainly there are many who did get breached.

 

[fairuz]

Can I also sue them for all the times I've had to remove Yahoo! browser hijackers from my family members' PCs? Worst company ever.
[doublepost=1504295291][/doublepost]

Database administrators take note: Take extraordinary precautions to protect all the personal info entrusted to you, or you shall be held accountable in a court of law for any breaches of confidential customer data.

It wasn't the DBAs. The web devs totally failed (I'd use harsher language on different sites) to set up a secure cookie auth system, so hackers were able to log into arbitrary accounts.

They said "forged cookies" here, which is a bit of an oxymoron: https://www.macrumors.com/2017/02/16/yahoo-third-data-breach-verizon-nears-deal/

 

[fairuz]

Ha, ha, ha. Verizon and Yahoo - all the bad eggs in one basket. People really need to start using a different password, and nonsensical answers to security questions. A password manager like 1Password makes this relatively easy and secure. I've been doing that for many years and have never had to worry about breaches like this because the scope is limited. Now two-factor authentication is available on about 1/4 of my accounts, so I use it everywhere I can as well - really hoping that becomes more widespread with time.

Stupid things like "Log in with Facebook" should be avoided at all costs.

Wouldn't have mattered in this case. No passwords were cracked or guessed to gain access. The attackers found a vulnerability in their cookie-based auth.

Also, why exactly are you against Facebook login? If anything, that's more secure than trusting a random website's homemade auth system. And unless you grant them access to a bunch of permissions (FB is very explicit about it), they don't get much info on you. If you want to be extra safe, you can use a fake Facebook account just for authentication like I used to do.

 

[saudade]

Time 2 sale my yahoo stocks on Monday. Yeah, that’s smart.

 

[Christian 5G]

My yahoo email used to be my main one until about a year ago, now I get so much spam on it that it is practically unusable.

 

[Robert.Walter]

My yahoo email used to be my main one until about a year ago, now I get so much spam on it that it is practically unusable.

I have multiple yahoo accounts and only receive like 1 or 2 spam mails per day all getting trapped by the Yahoo spam filter. It is really rare for spam to hit my inboxes. OTOH some amount of legit mail (ironically including some from Troy Hunt) get caught by the filter.

 

[fairuz]

I have multiple yahoo accounts and only receive like 1 or 2 spam mails per day all getting trapped by the Yahoo spam filter. It is really rare for spam to hit my inboxes. OTOH some amount of legit mail (ironically including some from Troy Hunt) get caught by the filter.

Spam filters are useless. You have to check your spam box anyway because they have a false positive rate above 0. I've had really important stuff go into Google's spam box, so I disabled it. Big deal, I have to delete a spam email every now and then (1-2 per week it seems).

 

[SteveW928]

Oh, I hand't heard the Verizon deal went through. Verizon likely has deeper pockets... maybe a class-action $10B lawsuit or something would be good for an industry lesson. I can't believe Verizon was stupid enough to buy that mess.

 

[Crow KC]

Wouldn't have mattered in this case. No passwords were cracked or guessed to gain access. The attackers found a vulnerability in their cookie-based auth.

Also, why exactly are you against Facebook login? If anything, that's more secure than trusting a random website's homemade auth system. And unless you grant them access to a bunch of permissions (FB is very explicit about it), they don't get much info on you. If you want to be extra safe, you can use a fake Facebook account just for authentication like I used to do.

Because it's a fallacy to believe that Facebook, Yahoo, or any other large service provider is any safer than any "random website's homemade auth system". It's proven time and again. Using the same credentials for more than one thing is a foolhardy move, no matter how cryptic the password and how well they seem to be stored. When I had access to millions of E-mail/password combinations, the website was the 19th largest in the world, and a competitor to Facebook which was at the time more popular in America, but less popular worldwide. This was the same time that Facebook Platform came into existence which enabled the login with Facebook ability for third-party sites. We at the time were integrating OpenSocial for the same reasons...

My point is to use a different password for everything, and just assume that anything can be compromised. I also use random passwords as answers for password recovery questions, as otherwise that sort of information is too easy for somebody to find out, and two-factor authentication everywhere it is available.

 

[SteveW928]

Because it's a fallacy to believe that Facebook, Yahoo, or any other large service provider is any safer than any "random website's homemade auth system". It's proven time and again. Using the same credentials for more than one thing is a foolhardy move, no matter how cryptic the password and how well they seem to be stored. When I had access to millions of E-mail/password combinations, the website was the 19th largest in the world, and a competitor to Facebook which was at the time more popular in America, but less popular worldwide. This was the same time that Facebook Platform came into existence which enabled the login with Facebook ability for third-party sites. We at the time were integrating OpenSocial for the same reasons...

My point is to use a different password for everything, and just assume that anything can be compromised. I also use random passwords as answers for password recovery questions, as otherwise that sort of information is too easy for somebody to find out, and two-factor authentication everywhere it is available.

Very well said!

I prefer single site logins actually, or using something like Disqus for commenting... instead of using social media accounts. One concern I have with the social media accounts is that it could lead to phishing. If you go to some XYZ site and it pops up a very Facebook-like login... how many would fill it in?

And, that's another tip... if you are going to use social media login, or something like Disqus, log into Facebook, Disqus, etc. first, and then XYZ site should connect (and not ask you for name/password). If they do, it's a trap or something is broken. Also, it's a good idea to log back out after you're done, or you're being extra-tracked everywhere else you go!

I actually wrote an article a while back on the Yahoo mess and problem with 'Security Questions' and gave similar advice... DO NOT ANSWER THEM HONESTY! Use some random characters, etc. Keep them in your password manager!
http://www.cgwerks.com/yahoo-hack-password-management-problem-security-questions/

re: 2-factor authentication - Do you know how that works with services that have multiple users/family members accessing them? For example, if I turn on 2FA on Dropbox, what happens if my wife connects? Would we both just use an app like Authy, and it would work for both of us at the same time?

2FA sounds like a great idea, but it also seems like a bit of a pain (though probably worth it).

 

[fairuz]

Because it's a fallacy to believe that Facebook, Yahoo, or any other large service provider is any safer than any "random website's homemade auth system". It's proven time and again. Using the same credentials for more than one thing is a foolhardy move, no matter how cryptic the password and how well they seem to be stored. When I had access to millions of E-mail/password combinations, the website was the 19th largest in the world, and a competitor to Facebook which was at the time more popular in America, but less popular worldwide. This was the same time that Facebook Platform came into existence which enabled the login with Facebook ability for third-party sites. We at the time were integrating OpenSocial for the same reasons...

My point is to use a different password for everything, and just assume that anything can be compromised. I also use random passwords as answers for password recovery questions, as otherwise that sort of information is too easy for somebody to find out, and two-factor authentication everywhere it is available.

There has never been a known breach of Facebook or Google, and their security is without a doubt better than what these smaller sites have. Yahoo! has been obviously insecure even before the three breaches, besides being a crappy company in general that nobody should trust.

The random sites usually make you rely on one form of auth anyway, your email. They let you reset your password that way. I can't remember the last time I've needed to answer security questions for that unless I was trying to recover an account without an email, except maybe with online banking.

Also, you're proposing everyone use a separate password for every site, so now they have to keep track of all those passwords somehow. If they put them in some password manager, they're back to the issue of trusting all their credentials in one place. And now that's increasing the chance of non-tech-savvy users doing something like keeping them in an unencrypted text file.