Yahoo Sued For Password Breach 93
twoheadedboy writes "Yahoo is being sued by one of its users, who has claimed the US Internet company was guilty of negligence when 450,000 passwords of the members of the Yahoo Voices blogging community were posted online. Jeff Allan from New Hampshire has turned to a federal court in San Jose, California, after his eBay account, which used the same password as his Voices account, was compromised. The breach at Yahoo followed similar hits on LinkedIn and Nvidia, which together saw millions of passwords leaked."
Re:TRWTF (Score:5, Informative)
Salted passwords don't matter - you can recover the password. Heck, you can reverse engineer hashing algorithms by just making a bunch of passwords then recovering them.
That would require you not only steal the password hash file but also the software used to create that file, including the salt, etc.
The point in the current case is that the passwords WERE NOT stored encrypted in any form. They were stored in clear text despite every recommendation never to do this on any system. Its inexcusable.
Every Linux distribution since the Pleistocene has defaulted to at least a minimally encrypted password file. Yahoo runs nothing but Linux [netcraft.com]. They would have had to intentionally bypass Linux security basics and roll their own to end up in such a mess.
They deserve to be sued. Still it will be a hard case to win because there is no law that says they have to be careful or competent.
Re:Guilty of Negligence (Score:4, Informative)
Its his accounts that are at risk. His choice to take the risk. Not Yahoo's choice. See the difference?