Yahoo has been hit with a class-action law suit as a result of its failure to notify users of a massive 2014 hack in which information was stolen from at least 500 million accounts.
The lawsuit was filed in the federal court in San Jose, California, one day after Yahoo disclosed the unprecedented in data leak.
Yahoo demonstrated “reckless disregard for the security of its users’ personal information that it promised to protect,” according to the complaint. http://fortune.com/2016/09/23/yahoo-is-sued-for-gross-negligence-over-huge-hacking/
The lawsuit is in response to a data breach that has been called the biggest in history, involving at least 500 million usernames and email addresses with telephone numbers and hashed passwords attached to them. Yahoo claim that no payment or card information was stolen. However it said, "in some cases, encrypted or unencrypted security questions and answers" were included - meaning that the hackers have vital personal information such as mother's maiden names, school names and former addresses. The breach is alleged to have occurred in late 2014.
https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo-user-security
The breach became public knowledge when a database was found for sale on a darknet market. The vendor claimed that there were 200 million Yahoo account details for sale. It was only late that it was discovered that the database being sold was from an earlier breach in 2012 in which 450,000 accounts that Yahoo had been breached.
http://www.pcworld.com/article/259136/450_000_yahoo_voice_passwords_breached_hacking_group_claims.html
http://www.pcworld.com/article/3102998/security/200m-yahoo-accounts-go-up-for-sale-on-digital-black-market.html
In addition to the lawsuit there are questions as to whether Yahoo intentionally withheld knowledge of the breach from Verizon which had been negotiate a purchase of the struggling Sunnyvale firm. The purchase was due to be completed for $4.8 billion.http://money.cnn.com/2016/07/25/technology/yahoo-verizon-deal-sale/
Yahoo's inaction and dishonesty may yet lead to SEC sanctions. Yahoo claims to have learned of the mega-breach in August but filed papers with SEC on September 9th stating that it was unaware of "any incidents of, or third party claims alleging" security breaches, "unauthorized access or use" of its information technology systems or misuse of personal information that could significantly impact its business. Companies are required to tell the SEC about events that any "reasonable investor would consider important in an investment decision," according to the agency.
https://www.washingtonpost.com/news/the-switch/wp/2016/09/28/could-yahoo-be-in-trouble-with-the-sec/
It has since been revealed by Yahoo insiders that data protection took a backseat to aesthetics at the beleaguered technology company. The security team within Yahoo was given the name 'Paranoids', their requests were often ignored because of fears that the added security would prove to be too much of an inconvenience.
http://mobile.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html
What should Yahoo users do now?
- Yahoo account holders should visit https://haveibeenpwned.com/ and check if their details are among those compromised.
- Yahoo is asking anyone who hasn't changed their password since 2014 to update it.
- Use a good password manager – e.g. Keepass
- Turn on two factor authentication
0 comments:
Post a Comment