Less than a week after Yahoo announced that a 2014 data breach had compromised the private information of 500 million users—and two months before Yahoo said that a separate 2013 breach had endangered the data of 1 billion users—ClassAction.com attorneys filed a negligence lawsuit against the tech giant for failing to protect and inform consumers.
Lead plaintiff Edward McMahon filed the lawsuit in the Northern District of California on behalf of himself and all others similarly situated, leaving the door open for a class action.
The complaint argues that Yahoo failed to safeguard its users’ personal information: names, email addresses, passwords, phone numbers, security questions and answers, etc.
It also says that Yahoo did not provide timely, accurate, or adequate notice of the data breach, and alleges breach of implied contract and violation of the California Unfair Competition Law, Business & Professions Code.
“It’s inconceivable that Yahoo either failed to detect the breach for two years,” said attorney John Yanchunis, “or it knew of the breach in 2014 and intentionally disregarded the privacy interests of consumers and breach notification laws by failing to inform consumers of the breach for two years.”
Yahoo Breach Could Have Major Aftershocks
Cyber-security experts say the Yahoo breach could trigger a chain reaction in which tens or even hundreds of thousands more accounts are hacked.
Matt Blaze, a security researcher at the University of Pennsylvania, tweeted that “data breaches on the scale of Yahoo are the security equivalent of ecological disasters.”
“Data breaches on the scale of Yahoo are the security equivalent of ecological disasters.”
These types of mega-breaches don’t just stop at the site that was breached, because the hackers now have vital information that can grant them access to other sites as well.
Hackers may use the passwords obtained in the Yahoo breach on other sites, gaining access to some of these accounts, too. Even if just 0.1% of the 500 million passwords work elsewhere, that would equal another 500,000 breaches.
And, as Mr. Yanchunis notes, while many Yahoo users may not actively use their breached Yahoo accounts, that does not mean they closed those accounts prior to 2014—which means their information was still there for the taking.
“The ramifications of this breach may be extremely devastating,” Mr. Yanchunis said.
How to Protect Yourself from Data Breaches
The complaint alleges that the lead plaintiff in the case, Edward McMahon, has noted suspicious activity on his Yahoo accounts, including not being able to access his accounts. He believes the hackers changed his passwords.
Mr. McMahon “has very important sensitive information in his emails that he… believes have been accessed,” according to the complaint.
If your personal information was compromised in the Yahoo data breach, the first thing you should do is change your passwords (Yahoo and others). Make sure they are all strong and unique. Other tips for protecting your data:
- Enable multi-step verification whenever possible
- Don’t recycle passwords across sites
- Use apps like LastPass to store complex, hard-to-crack passwords
- Check Have I Been Pwned? to determine if/when you’ve been hacked