In his lawsuit seeking class-action status -- filed in federal court in San Jose, Calif., on Tuesday (PDF) -- Jeff Allan is asking the court to order Yahoo to compensate him and others for "resulting account fraud" and measures people had to take to protect against identity theft.
Not only was Allan's Yahoo password stolen but someone also had accessed his eBay account without his permission after the Yahoo breach because he had used the same log-in credentials there, according to the suit. He also said he bought a subscription to Experian credit monitoring services for $14.95 a month.
Allan's account on the Yahoo Contributor Network site contained personal information including his name; e-mail address; PayPal e-mail address; date of birth; residency/citizenship; physical address and telephone number; and even his Social Security number, among other information, he said.
A group of hackers known as "D33Ds Co." publicly posted more than 450,000 usernames and passwords obtained from Yahoo's Contributor Network site last month. They said they had used an SQL injection to trick a database into revealing data and did the hack to expose lax security at Yahoo. The data was stored in plain text instead of cryptographically masked in a process called "hashing." Yahoo was negligent in not taking measures to protect against such a common attack and in not using encryption to protect the data, the suit alleges.