And! it! begins! Yahoo! sued! over! ultra-hack! of! 500m! accounts! Just two days after Yahoo! admitted hackers had raided its database of at least 500 million accounts, the Purple Palace is being dragged into court. Two Yahoo! users in San Diego, California, filed on Friday a class-action claim [PDF] against the troubled web biz: Yahoo! is accused of failing to take due care of sensitive …
“There's a sense of money to be made,” the plaintiffs' lawyer Larson E. Whipsnade, of Dewey, Cheatum, & Howe, said as he explained the reason for launching the suit.
"We think they blah, blah, blah, and even more blah, blah, blah. I anticipate our law firm will make millions fighting for justice on behalf of those good people who can't fight a giant corporation on their own.
The pain and suffering this has caused will be compensated by settlements of up to $1.49 for each and every person who joins this class action.”
I've always wondered how Yahoo! has managed to stay afloat after so many years of bumbling incompetence.
If there is a major class-action lawsuit over this I doubt Yahoo! will be able to continue operating at all.
It's about time a class-action happened anyway. This kind of nonsense has been going on for too long already, especially since it seems to always be for the same basic reasons : improper handling of user credentials.
The book has been written on that. It is high time CEO's get the message : Apply proper security, OR ELSE.
Received emails from old BT Yahoo! accounts suggesting a password reset recently, a little surprised to find they were still active. Rather bothersome to have relative's actual security answers out in the wild now, just re-enforcing my view that they should always be made-up.
I can safely assume that Ms. Mayer was fully aware of this hack, but chose to suppress, since Yahoo wanted to sell itself AND most IMPORTANTLY, she wanted to secere her 58 million severence payout when the day came. Managed well for 2 years. didnt she?
Now its all on ice.
And yet, it is standard practice everywhere. They will underplay a hack with the friendly media giving them eneough cover and right excuses.
Eg: Talktalk hacked thrice last year. Yet, Ms. Harding conveniently blamed teenagers in a shed and the storm blew over. She is also part of the establishment, which helps. Similalrly, blame a foreign government (state - ChIna/Russia which is fashionable) and the heat becomes less. No one will acknowledge that they skimped on security.
Go figure.
A bit disappointed in the relatively meaningless sentence:
"If even a fraction of the 500 million Yahoo! users targeted by hackers take action against the company, and win even a miserly award, the potential costs to the biz could count in the high multi-millions."
So many missed potential fractions and costs, and calculations relative to the current price of tea in China. Bonus points for including the inflationary pressures of purchasing so much Chinese tea at once.
Was the hack illegal? If not, then Yahoo haven't done anything wrong. And it's probably legal if it was a state-backed hacker.
Why? you ask...well, IANAL but, given that local US laws on data access apply worldwide, so presumably do local Russian, Chinese, Nork etc laws. If it's legal in the US for the US government to hack Chinese systems, then it's also legal in the US for Chinese government staff to hack US systems.
So, no offence.
It is legal in the US for the US government to conduct such activities in other countries with which the US government does not have treaties that govern them; otherwise not.
It is legal in the US for a foreign government to conduct such activities in the US if a treaty approved by the US Senate authorizes them; otherwise not.
I am not aware of any treaties that allow such activities in the US by any other government (or, for that matter, any laws that would allow it by either the government or private sector actors. The hack was illegal whether done by a foreign government, foreigners, or US residents. Blaming it on a "state actor" is misdirection that one supposes is intended to increase the scariness and reduce Yahoo!'s perceived culpability in the matter.
I think you are looking at this from the wrong angle. If US law says it's legal for the US state to hack in countries where there are no treaties, then it's probably legal in, eg North Korea for the state to hack in the US. In other words, if this was a state hack, then likely the hack was legal in the jurisdiction where it was performed. It's only illegal in the state where the victim is in these type of cases.
So now I'm part of a class action lawsuit (Yahoo! user in California) that may eventually get me $1.50-$2.50, while the lawyers make off with hundreds of millions.
Color me unimpressed for a multitude of reasons, but the primary one is:
- Yahoo! does not have my real birthday
- Yahoo! does not have my real phone number
- Yahoo! does not have my real physical address
If it's not a bank, government entity, or other organization with which I am doing legal or financial business, why on Earth would I give them real data?
So Yahoo! hack = No big deal for me. If they crack Google and get my g-mail password, no big deal for me.
If it's a free service, don't trust it to keep your data safe. Seems like common sense.
(I should clarify that I think Yahoo! screwed up and should face some form of punishment, but the idea that I provided data to a free service and now that data has been compromised just seems like par for the course. I don't think Yahoo!'s users need big payouts if their nude selfies got nicked. Don't store sensitive data on the intrawebs. True 20 years ago, true today...)
(And yes, I know that by providing Yahoo! with falsified data I committed some sort of crime, but I think the fact that it's criminal to keep your personal data out of the hands of such yahoos is even more criminal...)
"If it's a free service, don't trust it to keep your data safe. Seems like common sense."
Nevertheless, if you seek or accept custodianship of someone's data it becomes your responsibility to keep it safe, even if you're providing a free service. Responsibility isn't simply a consequence of being paid.
Maybe not immediately.
But when the people in your address book have all been profiled and identified, there will initially be a missing jigsaw piece (you).
Probably easily filled by "triangulating" the data supplied by these other people which inadvertently identifies you.
Maybe correspondent "A" (in your address book) emailed correspondent "B" (also in your address book) about something you were also involved with, where personal information about you is given.
If I get a postcard telling me I was part of the class, I will write 2 letters. One to remove myself from the class and the 2nd to the judge (both addresses will be included on the card) urging him or her to throw this out. Everyone's either been hacked or will get hacked. It's impossible to secure everything all the time. It's absurd to give a few lawyers millions of dollars and destroy a big company that employs thousands just to give 100 million users probably the equivalent of $5 each.
Its not about the hack. Those happen. Its about either
A) Them sitting on it for two years (assuming they knew about it)
or
B) Them not spotting it for two years. Which tells you everything you need to know about how much attention they pay to security.
Either way, calling them to account is legitimate.
Seroiusly, we know attacks and leaks happen. It's how the company responds afterwards that really shows you what they're made of.
From the numbers, as many US adults were victims of the hack as were not victims. It seems more that the "class" of the action is the average citizen. It would make more sense if the government settled on behalf of all citizens for $1 (or more) per citizen, precluding all other US class actions, but not individual claims. And take $1 off everybody's tax bill. Ha. Ha. Ha ha.
probably better it they (hooYa!) just give some money to charity and shutdown their operations, what Joe Public get out of it at the back isn't worth a class action (real damages? Who actually uses hooYa! for anything but spam emails?
hooYa! as that's what Ms Mayer is probably saying as she rides the company mechanical bull in the excutive suite with the Verizon deal on the table! Not exactly an Autonomy moment but close :)
Is that it happened two years ago and Yahoo is just now finding out about it. Unless they knew about it earlier, in which case I am down with Dewey, Cheatem and Howe. That is another reason for strongly suspecting a state actor. Entrepreneurial hackers want to publicize their exploits, state actors want to keep what they have done secret so adversaries are unaware how badly they have been penetrated.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
