Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
На Yahoo подали в суд из-за кражи 450 тыс. паролей
1. I Eric H. Gibbs(State No. 173653)
Bar
gft/c//UAl
ehg@girardgibbs.com
2 Dylan Hughes (StateBar No. 209113)
a
J
dsh@girardgibbs.com
GeoffreyA. Munroe(StateBar No. 229590)
4 gam@girardgibbs.com
Amy M. Zeman (StateBarNo. 273100)
amz@girardgibbs.com
6 GIRARD GIBBS LLP
601 CaliforniaStreet,14thFloor
7 SanFrancisco, Califomia 94104
(41
Telephone: 5) 981 -4800
8
Facsimile:(415)981-4846
9
Attorneys Plaintiff
for
10
tl UNITED STATESDISTRICT COURT
NORTHERN DISTRICT OF CALIFORNIA
t2
t3
SAN JOSE DIVISION
Jeff Allan, on behalf of himself and all others
cv T2 40
t4
similarly situated,
15 CLASSACTION COMPLAINT FOR:
t6 Plaintiff.
vs. (1)Negligence
t7
YAHOO! INC.. DEMAND FOR JURY TRIAL
18
t9 Defendant.
20
2l
22
23
24
25
26
27
28
CLASSACTION COMPLAINT
2. 1 SUMMARY OF THE CASE
2 1. Yahoo! Inc. is a leading Intemet company that provides Internet basedservicesto
a
J millions of userson a monthly basis and yet failed to deploy even the most rudimentary of protections
4 for certain usersopersonalinformation. Consequently,a group of hackers,in the name of publicly
5 humiliating Yahoo for it lax security measures,
infiltrated a Yahoo databaseand publicly posted login
6 credentialsfrom over 450,000 accounts.
7 2. Plaintiff Jeff Allan is one of the approximately 450,000 userswhose information was
8 posted online for the world to seeand use. Within days of the breach,Mr. Allan received an alert of
9 account fraud on his eBay account,which used the samelogin credentialsas disclosedin the Yahoo
1 0 breach. Mr. Allan does not know what other information the hackersand others have gatheredabout
1l him.
t2 3. Plaintiff Allan brings this classaction lawsuit againstYahoo for failing to adequately
t3 safeguardhis and others' personalinformation. Mr. Allan seeksan order requiring Yahoo to remedy the
T 4 harm causedby its negligent security, which may includ" Plaintiffand classmembersfor
"o-p"nruiing
1 5 resulting account fraud and for all reasonablynecessarymeasuresPlaintiff and classmembershave had
l6 to take in order to identi$' and safeguardthe accountsput at risk by Yahoo's negligent security.
t7 PARTIES
18 4. PlaintiffJeff Allan is a resident of the Stateof New Hampshire. Mr. Allan is one of
I9 approximately 450,000 people whose e-mail addressand passwordwere publicly disclosedon the
20 internet becauseYahoo did not take reasonablemeasuresin securingthem.
2l 5. Defendant Yahoo! Inc. is a Delaware corporation with its principal place of businessat
22 701 First Avenue, Sunnyvale,California 94089. Yahoo does businessthroughout the Stateof Californi
23 and the United States. Yahoo maintains a substantialportion of its computer systemsin California.
24 JURISDICTION AND VENUE
25 6. This Court has original jurisdiction pursuantto the Class Action FairnessAct, 28 U.S.C.
26 $ 1332(d),because(a) at least one member of the putative class is acitizenof a statedifferent from
27 Defendant,(b) the amount in controversyexceeds$5,000,000,exclusive of interest and costs,(c) the
2 8 proposedclass consistsof more than 100 class members,and (d) none of the exceptionsunder the
CLASS ACTION COMPLAINT
3. I subsectionapply to this action.
2 7. Venue is proper in this District under 28 U.S.C. $ 1391(b)becauseDefendant maintains
J its headquarters
and principal place of businessin this District and a substantialpart of the eventsgiving
4 rise to Plaintiff s Complaint occurred in this District.
5 INTRADISTRICT ASSIGNMENT
6 8. Assignment is proper to the San Josedivision of this District under Local Rule 3-2(c), as
7 a substantialpart of the eventsand omissions giving rise to Plaintiff s claims occurred in SantaClara
8 County.
9 COMMON FACTUAL ALLEGATIONS
10 AssociatedContent and the Yahoo! Contributor Network
ll 9. Yahoo is a Delaware corporation that operatesa host of Internet websites and services,
t2 including a web portal, searchengine, and e-mail service. Roughly 700 million people visit Yahoo
1 3 websitesevery month, making them among the most popular on the intemet.
t4 10. In 2010, Yahoo paid $100 million for AssociatedContent,a companythat published
l5 text, image, and video media contributed by freelancerauthorsregisteredwith the company. To
t6 contribute material before the Yahoo purchase,usershad to establishan accountwith Associated
t7 Content, using an e-mail addressas the login name and creating a password. Some or all of theselogin
1 8 credentialswere obtained by Yahoo when it acquired AssociatedContent.
I9 I l. In November 2010, Yahoo launchedthe Yahoo! Contributor Network, calling it "an
20 evolution of the AssociatedContent platform" that would "bring contributions from more than 450,000
2l writers, photographers,and videographersto the Internet's largest media destinations,including Yahoo!
22 News, Yahoo! Finance, Yahoo! Sports,and even the Yahoo! Homepage,among many others." In
23 December2011, Yahoo also announcedYahoo! Voices, a new digital library for content published by
24 the Yahoo! Contributor Network, including content acquiredwith AssociatedContent. Registeredusers
25 of the Yahoo! Contributor Network can contribute content and, in some cases,earn money if Yahoo
26 publishestheir content.
27 The Securitv Breach
28 12. On July I1,2012, a group of hackersreportedly basedin Eastem Europe and known as
CLASS ACTION COMPLAINT
4. I 'the D33Ds Company" breachedYahoo's security measuresand extractede-mail addresses
and
2 passwordsthat were storedunencryptedwithin a Yahoo database.D33Ds then postedtheselogin
J credentials,which were associatedwith roughly 453,000 AssociatedContent users,online in a plaintext
4 file, stating that they did so in order to provide a "wake-up" call to Yahoo about its lack of proper
5 security.
6 13. The hackersused a techniqueknown as a "SQL injection attack," which works by
7 "injecting" malicious commandsinto the streamof commandsbetweena website application and the
8 databasesoftware feeding it. If the databasedoesnot properly screentheseinputs for signs of attack,
9 attackerscan acquire information from the databasethat they would otherwise be barred from accessing.
1 0 In essence, SQL injection attackexploits the way in which a website communicateswith back-end
a
1 1 databases,
allowing an attackerto issuecommands(in the form of specially crafted SQL statements)
to
t2 databasethat contains information used by the website application, such as users' login credentials.
13 14. Reasonableinformation security measuresinclude protecting personalinformation by
T 4 securingthe data server containing that information from SQL injection attacks,encrypting critical data
1 5 (such as login credentials)containedin the database, monitoring network activity to identifu
and
I6 suspiciousamountsof out-bound data. Proper encryption often includes salting and hashing passwords,
1 7 which refers to adding strings of random charactersto the passwordsand then obscuring the data with a
1 8 crypto graphy algorithm.
I9 15. Yahoo, however, failed to employ thesebasic security measures protect the personal
to
20 information obtained and postedby D33Ds. Yahoo does employ thesemeasures safeguardother data
to
2l in its possession, did not do so with respectto the login credentialsobtained from Associated
but
22 Content and affected by the July 11 data breach.
23 16. Yahoo's serversshould not have been vulnerable to a SQL injection attack. When
24 interviewed about the Yahoo breach,Randy Abrams, researchdirector at NSS Labs, a technology
25 security researchand testing company, statedthat "[t]he only place we should be seeingSQL injection
26 attackstoday is in the classroom,as IT professionalsare being trained to prevent such attacks."
27 17. JasonRhykerd, an IT security expert with SystemExperts,estimatesthat the hackers
2 8 capturedmore than 2,000 databasetables and column names,along with 298 MySQL variables. Mr.
CLASS ACTION COMPLAINT
5. I Rhykerd statedthat "[t]he amount of network traffic this attack would have generatedshould of set off
2 the lightest of [intrusion detection system] rules."
a
J 18. Anders Nilsson, security expert and chief technology officer of security company
4 Eurosecure,points out that "[w]ith the security policies [Yahoo] has in place for its other sites, it should
5 have known to at least put up a firewall to detectthesekind of things."
6 19. The SQL injection technique used againstYahoo has been known for over a decadeand
7 had already been used for massivedata thefts againstHeartland Payment Systemsand others. As far
8 back as 2003, the FederalTrade Commission consideredSQL injection attacksto be well-known and
9 foreseeableeventsthat can and should be taken into accountthrough routine security measures. As the
1 0 FTC statedin a complaint filed againsta company who claimed but failed to use reasonableinternet
1t security measures:
t2 The risk of web-basedapplication attacksis commonly known in the information
13 technology industry, as are simple, publicly available measures prevent such attacks.
to
Security expertshave been warning the industry about thesevulnerabilities since at least
t4 1997; in 1998,at least one security organizationdeveloped,and made available to the
public at no charge,security measures which could prevent such attacks;and in 2000, the
15 industry beganreceiving reports of successfulattackson web-basedapplications.
l6
t7 20. Yahoo also should have maintained Plaintiff s and classmembers' critical login
1 8 credentialsin encrypted form, which would have made them unusablein the event of a security breach.
t9 Instead,Yahoo storedthis personalinformation in an unencryptedformat that could be read by anyone
20 who obtained access the database,
to including Yahoo employees.
2l 21. Had Yahoo encryptedthe data using standardsalting and hashingtechniques,the data
22 stolen from Yahoo would have been prohibitively diffrcult to utilize, as eachpasswordwould have to be
23 cracked individually. For example, another Intemet company (social Q&A website Formspring) whose
24 data was recently stolen appeils to have successfullyprotected its user's personalinformation with such
25 encryption.
26 22. As a result of Yahoo's negligent security practices,D33Ds was able to post online the
27 critical login credentialsassociatedwith roughly 453,000 AssociatedContent accounts. Unauthorized
28 individuals could use this information to login into an affected user's AssociatedContent or Yahoo!
CLASSACTION COMPLAINT
6. I Contributor Network account, and access personalinformation containedwithin the account-
the
2 including, for instance,the accountholder'sPayPal ID.
a
J 23. Yahoo's failure to protect the critical login credentials it acquiredwith Associated
4 Content also put users' accountswith other online serviceproviders at risk becausemany people use the
5 samelogin credentialsacrossmultiple Intemet sites. For instance,a user might use the samee-mail
6 addressand passwordto accessa PayPal, Amazon,or internet banking account.
7 24. In its Yahoo Security Center, Yahoo itself cautionsusersto protect their login
8 credentials,answeringits own question "Why should I worry about my privacy on the Intemet?" as
9 follows:
10 You could be locked out of your online account and be unable to accessyour e-mail. But
there can be even greaterconsequences.You could be the victim of identity theft.
l1
Once identity thieves have your personalinformation, the results can be far-reaching,
t2
difficult to rectify, and financially devastating.
l3
Armed with your credit card information, fraudsterscould chargethousandsof dollars to
t4 your accountbefore you ever seea statementfrom your credit card company. They can
open new credit card accountsin your name.
l5
t6 Using your identity, they can open a bank account and write bad checkson that account.
They can authorize electronic transfersin your name, draining your bank account. To
t7 avoid legal action againstdebtsthey've incurred using your identity, they might even file
r8 for bankruptcy under your name.
I9 They can take out a loan, buy a car, and get a driver's license- all in your name. They
may use your name to get a job or file fraudulent tax returns. And if they're a:rested,they
20 may give your name to the police and fail to show up for their court date. Then, a
2I warrant for an arrest is issued- in your name.
22 25. SQL injection attacksare well-understoodin the Internet Technology industry, having
^a
ZJ taken place for over a decade,and techniquesto resist such attacksare both well-known and in common
24 use by all major Internet businesses.Yahoo failed to use industry standardSQL databaseprotections,
25 monitoring techniques,and encryption practicesto protect the user data containedwithin its database.
26 In particular, Yahoo failed to secureits data seryer containing Plaintiff s and classmembers'
27 information from SQL injection attacks,encrypt the critical login credentialscontainedin the database,
28 and monitor its network activity to identify suspiciousamountsof out-bound data. In so doing, Yahoo
CLASSACTION COMPLAINT
7. 1 violated its duty to reasonablysecurethe personalinformation it acquiredwith AssociatedContent,
2 resulting in unauthorizedpersonshaving accessto those critical login credentialsand thus accessto
a
J affected users' AssociatedContent or Yahoo! Contributor Network accountsand other Internet accounts
4 containing personalinformation.
5 PLAINTIFF'S EXPERIENCE
6 26. Mr. Allan openedan accountwith AssociatedContent in November 2009 and published
7 articles through the network. Mr. Allan's Content Network account containedpersonalinformation
8 including his fulIntrne, e-mail address,PayPal e-mail address,date of birth, residency/citizenship,
9 physical address,telephonenumber, biography, interestsand areaof expertise,and education.
1 0 AssociatedContent also had Mr. Allan's social security number. All of this information was solicited
1 1 when Mr. Allan openedhis accountwith AssociatedContent.
t2 27. On the morning of July 14,2012, Mr. Allan received e-mails from two online services
r3 that he used, informing him of the Yahoo breach. Both serviceshad identified him as a user with
t4 breachedaccount information and proactively disabledhis passwords.
15 28. Mr. Allan then changedthe passwordsfor all of the online accountshe could think of.
t6 Mr. Allan has been writing content for a variety of websitesfor severalyears and many of the accounts
l7 he has establishedto contribute content have personalinformation related to tax reporting and
l8 with financial accounts,as well as his social securitv number.
19 29. Mr. Allan next attemptedto accesshis AssociatedContent accountthrough Yahoo!
20 Contributor Network but was unable to do so. Later that afternoon, Mr. Allan received an e-mail from
2l Yahoo informing him of the breachand suggestingthat he contact his e-mail serviceprovider to secure
22 his accountand monitor activity on all of his online accounts.
z) 30. Mr. Allan usedthe samelogin credentialsthat were stolen and posted online in the
24 security breachto accesshis eBay account. On the aftemoon of July 20,2012, Mr. Allan received an e-
25 mail from eBay informing him that someonehad accessed accountwithout his permission and that
his
26 the e-mail addressassociatedwith the accountmay have been changed. Mr. Allan had not used his
27 eBay accountsince2010.
28 31. Concernedabout unauthorizedaccessto his online accounts,Mr. Allan purchasedan
CLASSACTION COMPLAINT
8. I Experian credit monitoring service for $14.95/month.
2 CLASS ACTION ALLEGATIONS
a
J 32. PlaintiffJeff Atlan brings this action pursuantto FederalRule of Civil Procedure23 on
4 behalf of himself and a classpreliminarily defined as:
5 A1l personswhose personalinformation was accessed and subsequently
disclosedfollowing a databreachof Yahoo! Contributor Network on or
6 aboutJuly I1,2012.
7 Excluded from the class are Yahoo; any agent, affiliate, parent, or subsidiary of Yahoo; any entity in
8 which Yahoo has a controlling interest; any officer or director of Yahoo; any successor assignof
or
9 Yahoo; and any Judgeto whom this caseis assigned,as well as his or her staffand immediate family.
10 33. Plaintiffsatisfies the numerosity, commonality, typicality, and adequacyprerequisitesfor
1 1 suing as a representativeparty pursuantto Rule 23.
I2 34. Numerosity. The proposedclass consistsof approximately 450,000 persons-far too
1 3 many to join in a single action.
T4 35. Commonality. Plaintiff s and classmembers' claims raise predominantly common
1 5 factual and legal questionsthat can be answeredfor all classmembersthrough a single class-wide
I6 proceeding. For example,to resolve any class member's claims, it will be necessary answerthe
to
I7 following questions. The answerto each of these questionswill necessarilybe the samefor each class
1 8 member.
T9 a. Did Yahoo have a legal duty to use reasonablesecurity measures protect class
to
20 members' personalinformation?
2l b. Did Yahoo breach its legal duty by failing to securethe data server containing
22 Plaintiff s and classmembers' information from SQL injection attacks,encrypt
ZJ the personalinformation containedin the database,
and monitor its network
24 activity to identifu suspiciousamountsof out-bound data?
25 c. Did any breach by Yahoo of its legal duty to use reasonablesecurity measures
26 causePlaintiff and classmemberslegally-cognizabledamages?
27 36. Typicality. Plaintiff s claims are typical of classmembers' claims as each arisesfrom
28 the samedata breachand the samealleged negligenceon the part of Yahoo in handling classmember's
CLASSACTION COMPLAINT
9. I personalinformation.
2 37. Adequacy. Plaintiffwill fairly and adequatelyprotect the interestsof the class. His
a
J interestsdo not conflict with classmembers' interestsand he has retained counselexperiencedin
4 complex class action litigation and data privacy to vigorously prosecutethis action on behalf of the
5 class.
6 38. In addition to satis$ing the prerequisitesof Rule 23(a), Plaintiff satisfiesthe
7 requirementsfor maintaining a class action under Rule 23(b)(3). Common questionsof law and fact
8 predominateover any questionsaffecting only individual membersand a class action is superior to
9 individual litigation. The amount of damagesavailable to individual plaintiffs is insufficient to make
1 0 litigation addressingYahoo's conduct economically feasible in the absenceof the class action
1 1 procedure.
t2 39. In the alternative, class certification is appropriateunder Rule 23(b)(2) because
1 3 Defendanthas acted or refusedto act on groundsgenerally applicable to the class,thereby making final
I4 injunctive relief appropriatewith respectto the membersof the class as a whole.
15 FIRST CAUSE OF ACTION
t6 (For Negligence)
t7 40. Plaintiff incorporatesthe above allegationsby reference.
18 4I. By maintaining their personalinformation in a databasethat was accessiblethrough the
t9 Internet, Yahoo owed Plaintiff and classmembersa duty to employ reasonableInternet security
20 measures protect that information.
to
2l 42. Yahoo failed to securethe data server containing that information from SQL injection
22 attacks,encrypt the personal information containedin the database,
and monitor its networks to identi$
23 suspiciousamountsof out-bound data. In failing to employ thesebasic and well-known intemet
24 measures,
Yahoo departedfrom the reasonablestandardof care and violated its duty to protect
25 Plaintiff s and classmembers' personalinformation.
26 43. As a direct and proximate result of Yahoo's failure to exercisereasonablecare and use
27 commercially reasonableIntemet security measures, databases
its were accessed unauthorized
by
28 individuals who obtained and disclosedthe unencryptedpersonalinformation of Plaintiff and class
CLASSACTION COMPLAINT
10. I members.
2 44. The unauthoized accessto Plaintiff s and classmembers' personalinformation was
a
J reasonablyforeseeable Yahoo, particularly consideringthat the method of accessis widely known in
by
4 the computer and data security industry, and that it has long been standard practice in the Internet
) technology sectorto encrypt personalinformation, including critical login credentials.
6 45. Neither Plaintiff nor other classmemberscontributed to the security breach or Yahoo's
7 employment of insufficient security measures safeguardpersonalinformation.
to
8 46. As a direct and proximate result of Yahoo's negligence,Plaintiff and classmembers
9 suffered injury through the public disclosureof their personalinformation, the unauthorizedaccessto
1 0 Intemet accountscontaining additional personalinformation, and through the heightenedrisk of
1 1 unauthorizedpersonsstealing additional personalinformation. Plaintiff and classmembershave also
t2 incurred the cost of taking measures identify and safeguardaccountsput at risk by disclosureof the
to
1 3 personalinformation stolen from Yahoo, including by purchasingcredit monitoring services.
t4 PRAYER FOR RELIEF
15 WHEREFORE, Plaintiff, individually and on behalf of the Class,requeststhat the Court:
t6 a. Certifu this caseas a class action on behalf of the class defined above, appoint Jeff Allan
T7 as classrepresentative,
and appoint his counselas classcounsel;
18 b. Award injunctive and other equitable relief as is necessary protect the interestsof
to
l9 Plaintiff and other class members;
20 c. Award damagesto Plaintiff and class membersin an amount to be determinedat trial;
2l d. Award Plaintiff and classmemberstheir reasonablelitigation expensesand attomeys'
22 fees;
23 Award Plaintiffand classmemberspre- and post-judgment interest,to the extent
24 allowable; and
25 Award such other and further relief as equity andjustice may require.
26
27
28
CLASS ACTION COMPLAINT
11. I JURY TRIAL
2 Plaintiff demands trial by jury for all issues triable.
a so
J
Dated:
Julv31-2012 GIRARD GIBBS LLP
4
5
By:
6 Dylan Hughes
7
Eric H. Gibbs
8 GeoffreyA. Munroe
Amy M. Zemarr
9 601California Street, Floor
14tr
l0 SanFrancisco, 94108
CA
Telephone: (415)981-4800
1l Facsimile:(415)981-4846
t2 Attorneys Plaintiff
for
l3
t4
l5
16
l7
18
19
20
2l
22
23
24
25
26
27
28
CLASSACTION COMPLAINT