На Yahoo подали в суд из-за кражи 450 тыс. паролей


Published on

На Yahoo подали в суд из-за кражи 450 тыс. паролей

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

На Yahoo подали в суд из-за кражи 450 тыс. паролей

  1. 1. I Eric H. Gibbs(State No. 173653) Bar gft/c//UAl ehg@girardgibbs.com 2 Dylan Hughes (StateBar No. 209113) a J dsh@girardgibbs.com GeoffreyA. Munroe(StateBar No. 229590) 4 gam@girardgibbs.com Amy M. Zeman (StateBarNo. 273100) amz@girardgibbs.com 6 GIRARD GIBBS LLP 601 CaliforniaStreet,14thFloor 7 SanFrancisco, Califomia 94104 (41 Telephone: 5) 981 -4800 8 Facsimile:(415)981-4846 9 Attorneys Plaintiff for10tl UNITED STATESDISTRICT COURT NORTHERN DISTRICT OF CALIFORNIAt2t3 SAN JOSE DIVISION Jeff Allan, on behalf of himself and all others cv T2 40t4 similarly situated,15 CLASSACTION COMPLAINT FOR:t6 Plaintiff. vs. (1)Negligencet7 YAHOO! INC.. DEMAND FOR JURY TRIAL18t9 Defendant.202l22232425262728 CLASSACTION COMPLAINT
  2. 2. 1 SUMMARY OF THE CASE 2 1. Yahoo! Inc. is a leading Intemet company that provides Internet basedservicesto a J millions of userson a monthly basis and yet failed to deploy even the most rudimentary of protections 4 for certain usersopersonalinformation. Consequently,a group of hackers,in the name of publicly 5 humiliating Yahoo for it lax security measures, infiltrated a Yahoo databaseand publicly posted login 6 credentialsfrom over 450,000 accounts. 7 2. Plaintiff Jeff Allan is one of the approximately 450,000 userswhose information was 8 posted online for the world to seeand use. Within days of the breach,Mr. Allan received an alert of 9 account fraud on his eBay account,which used the samelogin credentialsas disclosedin the Yahoo1 0 breach. Mr. Allan does not know what other information the hackersand others have gatheredabout1l him.t2 3. Plaintiff Allan brings this classaction lawsuit againstYahoo for failing to adequatelyt3 safeguardhis and others personalinformation. Mr. Allan seeksan order requiring Yahoo to remedy theT 4 harm causedby its negligent security, which may includ" Plaintiffand classmembersfor "o-p"nruiing1 5 resulting account fraud and for all reasonablynecessarymeasuresPlaintiff and classmembershave hadl6 to take in order to identi$ and safeguardthe accountsput at risk by Yahoos negligent security.t7 PARTIES18 4. PlaintiffJeff Allan is a resident of the Stateof New Hampshire. Mr. Allan is one ofI9 approximately 450,000 people whose e-mail addressand passwordwere publicly disclosedon the20 internet becauseYahoo did not take reasonablemeasuresin securingthem.2l 5. Defendant Yahoo! Inc. is a Delaware corporation with its principal place of businessat22 701 First Avenue, Sunnyvale,California 94089. Yahoo does businessthroughout the Stateof Californi23 and the United States. Yahoo maintains a substantialportion of its computer systemsin California.24 JURISDICTION AND VENUE25 6. This Court has original jurisdiction pursuantto the Class Action FairnessAct, 28 U.S.C.26 $ 1332(d),because(a) at least one member of the putative class is acitizenof a statedifferent from27 Defendant,(b) the amount in controversyexceeds$5,000,000,exclusive of interest and costs,(c) the2 8 proposedclass consistsof more than 100 class members,and (d) none of the exceptionsunder the CLASS ACTION COMPLAINT
  3. 3. I subsectionapply to this action. 2 7. Venue is proper in this District under 28 U.S.C. $ 1391(b)becauseDefendant maintains J its headquarters and principal place of businessin this District and a substantialpart of the eventsgiving 4 rise to Plaintiff s Complaint occurred in this District. 5 INTRADISTRICT ASSIGNMENT 6 8. Assignment is proper to the San Josedivision of this District under Local Rule 3-2(c), as 7 a substantialpart of the eventsand omissions giving rise to Plaintiff s claims occurred in SantaClara 8 County. 9 COMMON FACTUAL ALLEGATIONS10 AssociatedContent and the Yahoo! Contributor Networkll 9. Yahoo is a Delaware corporation that operatesa host of Internet websites and services,t2 including a web portal, searchengine, and e-mail service. Roughly 700 million people visit Yahoo1 3 websitesevery month, making them among the most popular on the intemet.t4 10. In 2010, Yahoo paid $100 million for AssociatedContent,a companythat publishedl5 text, image, and video media contributed by freelancerauthorsregisteredwith the company. Tot6 contribute material before the Yahoo purchase,usershad to establishan accountwith Associatedt7 Content, using an e-mail addressas the login name and creating a password. Some or all of theselogin1 8 credentialswere obtained by Yahoo when it acquired AssociatedContent.I9 I l. In November 2010, Yahoo launchedthe Yahoo! Contributor Network, calling it "an20 evolution of the AssociatedContent platform" that would "bring contributions from more than 450,0002l writers, photographers,and videographersto the Internets largest media destinations,including Yahoo!22 News, Yahoo! Finance, Yahoo! Sports,and even the Yahoo! Homepage,among many others." In23 December2011, Yahoo also announcedYahoo! Voices, a new digital library for content published by24 the Yahoo! Contributor Network, including content acquiredwith AssociatedContent. Registeredusers25 of the Yahoo! Contributor Network can contribute content and, in some cases,earn money if Yahoo26 publishestheir content.27 The Securitv Breach28 12. On July I1,2012, a group of hackersreportedly basedin Eastem Europe and known as CLASS ACTION COMPLAINT
  4. 4. I the D33Ds Company" breachedYahoos security measuresand extractede-mail addresses and 2 passwordsthat were storedunencryptedwithin a Yahoo database.D33Ds then postedtheselogin J credentials,which were associatedwith roughly 453,000 AssociatedContent users,online in a plaintext 4 file, stating that they did so in order to provide a "wake-up" call to Yahoo about its lack of proper 5 security. 6 13. The hackersused a techniqueknown as a "SQL injection attack," which works by 7 "injecting" malicious commandsinto the streamof commandsbetweena website application and the 8 databasesoftware feeding it. If the databasedoesnot properly screentheseinputs for signs of attack, 9 attackerscan acquire information from the databasethat they would otherwise be barred from accessing.1 0 In essence, SQL injection attackexploits the way in which a website communicateswith back-end a1 1 databases, allowing an attackerto issuecommands(in the form of specially crafted SQL statements) tot2 databasethat contains information used by the website application, such as users login credentials.13 14. Reasonableinformation security measuresinclude protecting personalinformation byT 4 securingthe data server containing that information from SQL injection attacks,encrypting critical data1 5 (such as login credentials)containedin the database, monitoring network activity to identifu andI6 suspiciousamountsof out-bound data. Proper encryption often includes salting and hashing passwords,1 7 which refers to adding strings of random charactersto the passwordsand then obscuring the data with a1 8 crypto graphy algorithm.I9 15. Yahoo, however, failed to employ thesebasic security measures protect the personal to20 information obtained and postedby D33Ds. Yahoo does employ thesemeasures safeguardother data to2l in its possession, did not do so with respectto the login credentialsobtained from Associated but22 Content and affected by the July 11 data breach.23 16. Yahoos serversshould not have been vulnerable to a SQL injection attack. When24 interviewed about the Yahoo breach,Randy Abrams, researchdirector at NSS Labs, a technology25 security researchand testing company, statedthat "[t]he only place we should be seeingSQL injection26 attackstoday is in the classroom,as IT professionalsare being trained to prevent such attacks."27 17. JasonRhykerd, an IT security expert with SystemExperts,estimatesthat the hackers2 8 capturedmore than 2,000 databasetables and column names,along with 298 MySQL variables. Mr. CLASS ACTION COMPLAINT
  5. 5. I Rhykerd statedthat "[t]he amount of network traffic this attack would have generatedshould of set off 2 the lightest of [intrusion detection system] rules." a J 18. Anders Nilsson, security expert and chief technology officer of security company 4 Eurosecure,points out that "[w]ith the security policies [Yahoo] has in place for its other sites, it should 5 have known to at least put up a firewall to detectthesekind of things." 6 19. The SQL injection technique used againstYahoo has been known for over a decadeand 7 had already been used for massivedata thefts againstHeartland Payment Systemsand others. As far 8 back as 2003, the FederalTrade Commission consideredSQL injection attacksto be well-known and 9 foreseeableeventsthat can and should be taken into accountthrough routine security measures. As the1 0 FTC statedin a complaint filed againsta company who claimed but failed to use reasonableinternet1t security measures:t2 The risk of web-basedapplication attacksis commonly known in the information13 technology industry, as are simple, publicly available measures prevent such attacks. to Security expertshave been warning the industry about thesevulnerabilities since at leastt4 1997; in 1998,at least one security organizationdeveloped,and made available to the public at no charge,security measures which could prevent such attacks;and in 2000, the15 industry beganreceiving reports of successfulattackson web-basedapplications.l6t7 20. Yahoo also should have maintained Plaintiff s and classmembers critical login1 8 credentialsin encrypted form, which would have made them unusablein the event of a security breach.t9 Instead,Yahoo storedthis personalinformation in an unencryptedformat that could be read by anyone20 who obtained access the database, to including Yahoo employees.2l 21. Had Yahoo encryptedthe data using standardsalting and hashingtechniques,the data22 stolen from Yahoo would have been prohibitively diffrcult to utilize, as eachpasswordwould have to be23 cracked individually. For example, another Intemet company (social Q&A website Formspring) whose24 data was recently stolen appeils to have successfullyprotected its users personalinformation with such25 encryption.26 22. As a result of Yahoos negligent security practices,D33Ds was able to post online the27 critical login credentialsassociatedwith roughly 453,000 AssociatedContent accounts. Unauthorized28 individuals could use this information to login into an affected users AssociatedContent or Yahoo! CLASSACTION COMPLAINT
  6. 6. I Contributor Network account, and access personalinformation containedwithin the account- the 2 including, for instance,the accountholdersPayPal ID. a J 23. Yahoos failure to protect the critical login credentials it acquiredwith Associated 4 Content also put users accountswith other online serviceproviders at risk becausemany people use the 5 samelogin credentialsacrossmultiple Intemet sites. For instance,a user might use the samee-mail 6 addressand passwordto accessa PayPal, Amazon,or internet banking account. 7 24. In its Yahoo Security Center, Yahoo itself cautionsusersto protect their login 8 credentials,answeringits own question "Why should I worry about my privacy on the Intemet?" as 9 follows:10 You could be locked out of your online account and be unable to accessyour e-mail. But there can be even greaterconsequences.You could be the victim of identity theft.l1 Once identity thieves have your personalinformation, the results can be far-reaching,t2 difficult to rectify, and financially devastating.l3 Armed with your credit card information, fraudsterscould chargethousandsof dollars tot4 your accountbefore you ever seea statementfrom your credit card company. They can open new credit card accountsin your name.l5t6 Using your identity, they can open a bank account and write bad checkson that account. They can authorize electronic transfersin your name, draining your bank account. Tot7 avoid legal action againstdebtstheyve incurred using your identity, they might even filer8 for bankruptcy under your name.I9 They can take out a loan, buy a car, and get a drivers license- all in your name. They may use your name to get a job or file fraudulent tax returns. And if theyre a:rested,they20 may give your name to the police and fail to show up for their court date. Then, a2I warrant for an arrest is issued- in your name.22 25. SQL injection attacksare well-understoodin the Internet Technology industry, having^aZJ taken place for over a decade,and techniquesto resist such attacksare both well-known and in common24 use by all major Internet businesses.Yahoo failed to use industry standardSQL databaseprotections,25 monitoring techniques,and encryption practicesto protect the user data containedwithin its database.26 In particular, Yahoo failed to secureits data seryer containing Plaintiff s and classmembers27 information from SQL injection attacks,encrypt the critical login credentialscontainedin the database,28 and monitor its network activity to identify suspiciousamountsof out-bound data. In so doing, Yahoo CLASSACTION COMPLAINT
  7. 7. 1 violated its duty to reasonablysecurethe personalinformation it acquiredwith AssociatedContent, 2 resulting in unauthorizedpersonshaving accessto those critical login credentialsand thus accessto a J affected users AssociatedContent or Yahoo! Contributor Network accountsand other Internet accounts 4 containing personalinformation. 5 PLAINTIFFS EXPERIENCE 6 26. Mr. Allan openedan accountwith AssociatedContent in November 2009 and published 7 articles through the network. Mr. Allans Content Network account containedpersonalinformation 8 including his fulIntrne, e-mail address,PayPal e-mail address,date of birth, residency/citizenship, 9 physical address,telephonenumber, biography, interestsand areaof expertise,and education.1 0 AssociatedContent also had Mr. Allans social security number. All of this information was solicited1 1 when Mr. Allan openedhis accountwith AssociatedContent.t2 27. On the morning of July 14,2012, Mr. Allan received e-mails from two online servicesr3 that he used, informing him of the Yahoo breach. Both serviceshad identified him as a user witht4 breachedaccount information and proactively disabledhis passwords.15 28. Mr. Allan then changedthe passwordsfor all of the online accountshe could think of.t6 Mr. Allan has been writing content for a variety of websitesfor severalyears and many of the accountsl7 he has establishedto contribute content have personalinformation related to tax reporting andl8 with financial accounts,as well as his social securitv number.19 29. Mr. Allan next attemptedto accesshis AssociatedContent accountthrough Yahoo!20 Contributor Network but was unable to do so. Later that afternoon, Mr. Allan received an e-mail from2l Yahoo informing him of the breachand suggestingthat he contact his e-mail serviceprovider to secure22 his accountand monitor activity on all of his online accounts.z) 30. Mr. Allan usedthe samelogin credentialsthat were stolen and posted online in the24 security breachto accesshis eBay account. On the aftemoon of July 20,2012, Mr. Allan received an e-25 mail from eBay informing him that someonehad accessed accountwithout his permission and that his26 the e-mail addressassociatedwith the accountmay have been changed. Mr. Allan had not used his27 eBay accountsince2010.28 31. Concernedabout unauthorizedaccessto his online accounts,Mr. Allan purchasedan CLASSACTION COMPLAINT
  8. 8. I Experian credit monitoring service for $14.95/month. 2 CLASS ACTION ALLEGATIONS a J 32. PlaintiffJeff Atlan brings this action pursuantto FederalRule of Civil Procedure23 on 4 behalf of himself and a classpreliminarily defined as: 5 A1l personswhose personalinformation was accessed and subsequently disclosedfollowing a databreachof Yahoo! Contributor Network on or 6 aboutJuly I1,2012. 7 Excluded from the class are Yahoo; any agent, affiliate, parent, or subsidiary of Yahoo; any entity in 8 which Yahoo has a controlling interest; any officer or director of Yahoo; any successor assignof or 9 Yahoo; and any Judgeto whom this caseis assigned,as well as his or her staffand immediate family.10 33. Plaintiffsatisfies the numerosity, commonality, typicality, and adequacyprerequisitesfor1 1 suing as a representativeparty pursuantto Rule 23.I2 34. Numerosity. The proposedclass consistsof approximately 450,000 persons-far too1 3 many to join in a single action.T4 35. Commonality. Plaintiff s and classmembers claims raise predominantly common1 5 factual and legal questionsthat can be answeredfor all classmembersthrough a single class-wideI6 proceeding. For example,to resolve any class members claims, it will be necessary answerthe toI7 following questions. The answerto each of these questionswill necessarilybe the samefor each class1 8 member.T9 a. Did Yahoo have a legal duty to use reasonablesecurity measures protect class to20 members personalinformation?2l b. Did Yahoo breach its legal duty by failing to securethe data server containing22 Plaintiff s and classmembers information from SQL injection attacks,encryptZJ the personalinformation containedin the database, and monitor its network24 activity to identifu suspiciousamountsof out-bound data?25 c. Did any breach by Yahoo of its legal duty to use reasonablesecurity measures26 causePlaintiff and classmemberslegally-cognizabledamages?27 36. Typicality. Plaintiff s claims are typical of classmembers claims as each arisesfrom28 the samedata breachand the samealleged negligenceon the part of Yahoo in handling classmembers CLASSACTION COMPLAINT
  9. 9. I personalinformation. 2 37. Adequacy. Plaintiffwill fairly and adequatelyprotect the interestsof the class. His a J interestsdo not conflict with classmembers interestsand he has retained counselexperiencedin 4 complex class action litigation and data privacy to vigorously prosecutethis action on behalf of the 5 class. 6 38. In addition to satis$ing the prerequisitesof Rule 23(a), Plaintiff satisfiesthe 7 requirementsfor maintaining a class action under Rule 23(b)(3). Common questionsof law and fact 8 predominateover any questionsaffecting only individual membersand a class action is superior to 9 individual litigation. The amount of damagesavailable to individual plaintiffs is insufficient to make1 0 litigation addressingYahoos conduct economically feasible in the absenceof the class action1 1 procedure.t2 39. In the alternative, class certification is appropriateunder Rule 23(b)(2) because1 3 Defendanthas acted or refusedto act on groundsgenerally applicable to the class,thereby making finalI4 injunctive relief appropriatewith respectto the membersof the class as a whole.15 FIRST CAUSE OF ACTIONt6 (For Negligence)t7 40. Plaintiff incorporatesthe above allegationsby reference.18 4I. By maintaining their personalinformation in a databasethat was accessiblethrough thet9 Internet, Yahoo owed Plaintiff and classmembersa duty to employ reasonableInternet security20 measures protect that information. to2l 42. Yahoo failed to securethe data server containing that information from SQL injection22 attacks,encrypt the personal information containedin the database, and monitor its networks to identi$23 suspiciousamountsof out-bound data. In failing to employ thesebasic and well-known intemet24 measures, Yahoo departedfrom the reasonablestandardof care and violated its duty to protect25 Plaintiff s and classmembers personalinformation.26 43. As a direct and proximate result of Yahoos failure to exercisereasonablecare and use27 commercially reasonableIntemet security measures, databases its were accessed unauthorized by28 individuals who obtained and disclosedthe unencryptedpersonalinformation of Plaintiff and class CLASSACTION COMPLAINT
  10. 10. I members. 2 44. The unauthoized accessto Plaintiff s and classmembers personalinformation was a J reasonablyforeseeable Yahoo, particularly consideringthat the method of accessis widely known in by 4 the computer and data security industry, and that it has long been standard practice in the Internet ) technology sectorto encrypt personalinformation, including critical login credentials. 6 45. Neither Plaintiff nor other classmemberscontributed to the security breach or Yahoos 7 employment of insufficient security measures safeguardpersonalinformation. to 8 46. As a direct and proximate result of Yahoos negligence,Plaintiff and classmembers 9 suffered injury through the public disclosureof their personalinformation, the unauthorizedaccessto1 0 Intemet accountscontaining additional personalinformation, and through the heightenedrisk of1 1 unauthorizedpersonsstealing additional personalinformation. Plaintiff and classmembershave alsot2 incurred the cost of taking measures identify and safeguardaccountsput at risk by disclosureof the to1 3 personalinformation stolen from Yahoo, including by purchasingcredit monitoring services.t4 PRAYER FOR RELIEF15 WHEREFORE, Plaintiff, individually and on behalf of the Class,requeststhat the Court:t6 a. Certifu this caseas a class action on behalf of the class defined above, appoint Jeff AllanT7 as classrepresentative, and appoint his counselas classcounsel;18 b. Award injunctive and other equitable relief as is necessary protect the interestsof tol9 Plaintiff and other class members;20 c. Award damagesto Plaintiff and class membersin an amount to be determinedat trial;2l d. Award Plaintiff and classmemberstheir reasonablelitigation expensesand attomeys22 fees;23 Award Plaintiffand classmemberspre- and post-judgment interest,to the extent24 allowable; and25 Award such other and further relief as equity andjustice may require.262728 CLASS ACTION COMPLAINT
  11. 11. I JURY TRIAL 2 Plaintiff demands trial by jury for all issues triable. a so J Dated: Julv31-2012 GIRARD GIBBS LLP 4 5 By: 6 Dylan Hughes 7 Eric H. Gibbs 8 GeoffreyA. Munroe Amy M. Zemarr 9 601California Street, Floor 14trl0 SanFrancisco, 94108 CA Telephone: (415)981-48001l Facsimile:(415)981-4846t2 Attorneys Plaintiff forl3t4l516l71819202l22232425262728 CLASSACTION COMPLAINT