Slashdot Mirror
Yahoo Sued For Gross Negligence Over Huge Hacking (reuters.com)
Yahoo apparently took two years to investigate and tell people that its service had been breached, and that over 500 million users were affected. Amid the announcement, a user is suing Yahoo, accusing the company of gross negligence. From a Reuters report: The lawsuit was filed in the federal court in San Jose, California, one day after Yahoo disclosed the hacking, unprecedented in size, by what it believed was a "state-sponsored actor." Ronald Schwartz, a New York resident, sued on behalf of all Yahoo users in the United States whose personal information was compromised. The lawsuit seeks class-action status and unspecified damages. A Yahoo spokeswoman said the Sunnyvale, California-based company does not discuss pending litigation. The attack could complicate Chief Executive Marissa Mayer's effort to shore up the website's flagging fortunes, two months after she agreed to a $4.8 billion sale of Yahoo's Internet business to Verizon Communications. Yahoo on Thursday said user information including names, email addresses, phone numbers, birth dates and encrypted passwords had been compromised in late 2014.
When you're this negligent with your security, a simple class action lawsuit for damages won't suffice. It doesn't solve the problem, either, because these are usually settles to the benefit of the lawyers. Instead, the executives and any managers who were behind this negligence need to spend some serious time in prison. Yes, that includes Marissa Mayer, who needs to be behind bars for the awful way her company handled the breach. I despise the Russian hackers, who deserve to be on the receiving end of vigilante justice. However, there also needs to be some lengthy jail sentences for plenty of people at Yahoo. It's also time that companies like Yahoo that do this have to pay serious restitution to everyone on the receiving end of such a breach, enough so to put the company out of business (that shouldn't be hard in Yahoo's case).
Yahoo routinely granted backdoor access and/or handed over login credentials to any female that requested it. This happens much more often than you think.
Marissa couldn't realistically investigate any faster than that. After all, she was busy tweaking the kerning for the updated company logo.
#DeleteChrome
2 YEARS later and likely only due to a condition on the merger so that Verizon doesn't have to accept the responsibility of eventual disclosure. Same shit different year. Good riddance to bad rubbish. Yeah you really turned that company around doll. Congrats for running it into the ground, not like it wasn't headed in that direction anyway, now you just get to be the fall girl. I'm sure she'll land on some soft pillows thanks to that golden parachute.
Remember, yahoo is selling the CORE ASSETS, but Yahoo (the company) will still exist, as a placeholder for Alibaba and YAhoo! Japan shares. So, is Yahoo (the company) that is still liable for the breach, not verizon. If push comes to shove, Yahoo can sign a MoU stating that is it, and not Verizon, the one who will carry all the brunt of the hack (lawsuits, fines, reparations, costs and any other thing derived from this hack).
The alibaba, yahoo japan and any other assets in this company shall be enough to cover that.
*** Suerte a todos y Feliz dia!
Wasn't Slashdot only a number of articles ago talking about how much cheaper it is to get hacked than to deploy proper security and maintenance?
We've known this for ages....and I learnt about it the hard way years ago as a webmaster.
In my junior sysadmin pre-ITIL cowboy days, I was tasked with managing a web server, and it turned out that PHP needed an immediate update.
Without further ado, to avoid the risk of getting hacked, I went and updated PHP to the next version up.
Turns out that doing so broke a number of customer webpages - which were reliant on some old broken and unmaintained code. The website owners then complained and whined to our company that we threatened their businesses. (Fortunately they only made peanuts to our bottom-line, so luckily we didn't care that much)
Lesson was simple: it is much easier to maintain old versions that keep things working AND DO NOTHING than to do any proactive security maintenance. This works in a number of ways.
Firstly, when you eventually get hacked IT IS NOT YOUR FAULT. It is the fault of some hacker and things will be seen that way. Blame gets shifted away from the admins anyhow.
Secondly, doing nothing is CHEAPER. It involves less risk, less change, and less responsibility. In a world where shareholders, finance and management dictate the aims of IT - you may as well fire the sysadmins because it's risky if they do any maintenance, meaning that since they're not going to do anything you may as well fire them. Just get contractors to build things to work once, then leave the systems on the internet indefinitely until they either end up getting hacked to the point of failure, or the hardware breaks down. Then rebuild the system from scratch with more contractors when that time eventuates.
That's how security patching works in the real world. In other words, it doesn't.
The thing is, it's ALL ABOUT SHIFTING BLAME in the world of IT, and IT is a risk, and it is expensive.
That's why there is so much outsourcing combined with support contracts so company managers can point the finger at vendors when things go to hell and then walk away with legal indemnification and still keep their job and their pensions while saying that they kept costs down when things eventually go to pot.
So in this Yahoo case, someone finally has to guts to call Yahoo out on it.
READY.
PRINT ""+-0
It's not about that. The initial hack could have been anything from a 0day to a 5 year old exploit - you don't know and that's not the issue anyway. The issue is that they didn't tell anybody about it for 2 years. Users need to know that their passwords are compromised because they often will (for example) use the same password for online banking.
Oh, wait a minute, yahoo was free.
So you got your money's worth.
Gross negligence is accurate enough when a company allows data on 500 million customers to be hacked and then fails to notify those customers for 2 years. Choosing to keep this from customers achieves little more than proving the company cannot be trusted. This should have been handled better.
Fixing the problems, then disclosing the breach and taking immediate action to protect customers would be the action of a responsible and trustworthy company.
This is going to cost them customers and reduce the value of the company. Not an ideal situation for anyone about to buy it...
pre-ITIL cowboy days
Are things a lot better post-ITIL? In my experience ITIL has made things a lot more predicable... most often predictably awful. Not that I blame ITIL for that; that's like blaming your hammer for the shoddy birdhouse you built. It's more like a crutch: people think "if we all do what it says in this book, we'll do better". In terms of business outcomes I have not found that to be true very often.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
...
Yeah, the old editors...about that.
They're all gone. Slashdot got bought from Dice and everyone got let go.
> Lesson was simple: it is much easier to maintain old versions that keep things working AND DO NOTHING than
> to do any proactive security maintenance. This works in a number of ways.
Uh, that's not the right lesson to draw from this. If customers gets hacked because they are running out of date CMSes, it's their fault. It's also their fault if it's not working because they have outdated crap that's incompatible with modern php-versions. But if you neglected to update php, and the customers gets hacked because of that, it's your fault. You might be able to talk your way out of it in some cases by pointing out that (this kind of) hacking is bad, but if the customer is a company or a person who cares, they will demand to know exactly how this could happen. Having a logfile that shows them exactly what exploit in their outdated CMS or plugin or theme was used is very satisfying.
I see this in every major php release. The answer to customers who complain is "too bad, update your old outdated Joomla 1.5.x/WP 3.5.x-crap. Or if you don't want to do that, good luck finding a reliable host that still has php 5.eol".
I eagerly anticipate receiving 6 months free e-mail service from Yahoo, Inc., while the lawyers ultimately win a seven to eight figure payment out of the proceeds from the judgement. Of course this means even MORE ads served whenever using Yahoo.com services, more annoyance and risk for us, while the owners continue to get millions of dollars each year.
This won't make anyone better off except lawyers, and everyone else will pay for it. That's the joke.
Get it?
I willing to give msmash the benefit of doubt... for now.
But manishs is terrible.
So did Mayer do anything at Yahoo except collect big pay checks? She gave Katy Couric a nice paycheck too and then she preceded to be a ass not a asset.
But a ton of people lost their jobs but not a lot was done in protecting people's (customers) information. Clueless is how I describe Mayer.
It was one of my earliest memberships on www.
"Important Notice: This agreement is subject to binding arbitration and a waiver of class action rights ..."
I'm behind the eight ball on this... Has Verizon made any mention of if they're still as eager to buy yahoo, since it could potentially expose them to this new liability that probably wasn't included for when they made their offer? Thinking of what happened to BoA when buying CountryWide Mortgage, for instance...
She is a perfect example of an individual who owes everything to timing - she happened to be at the right place, at the right time. She is pretty useless.
It's not your fault *THE FIRST TIME*. However, if you get hacked again after implementing fixes, it certainly IS your fault. It's cheaper to do nothing, but when you get hacked, you must do something, and it must be something to implement better security, and notify your users. Taking TWO FUCKING YEARS is way too long.
ITIL
No wonder Slashdotters are afraid of losing their jerbs to H1Bs.
See subject: I noted it in the very article on /. you speak of (sued over negligence in lax security) https://it.slashdot.org/comments.pl?sid=9693719&cid=52949651/ but I had NO IDEA it'd occur in the NEXT DAY'S NEWS (today)!
APK
P.S.=> My ESP is on "high power" this week it seems, lol - actually, it didn't "take a brain" @ all - it seemed to me @ the time this would be a NATURAL OUTCOME of said negligence... apk
Most outcomes are awful, but i don't think ITIL has much to do with the outcome, it just improves the predictability.
In other words, with ITIL you have enough vision to see it's going to lead to an unsatisfactory outcome; without it you are optimistic, and hence you'll feel better.
The truth is that if a customer is calling a web hosting provider, it's already a bad outcome. The best you can hope for is that the customer admits to messing up their environment, and it is fixed in minutes. Anything beyond the customer messing up their own environment is generally going to leave the customer with the impression that someone else should have done something to prevent the problem, and the hosting provider is the easiest target.
... that thinks "state sponsored" means enough time and resources got thrown at this to make even exemplary security meaningless? They could have simply bribed some sysad that was getting fired/quitting anyway to go in, plug in a USB, and leave. Before slamming their IT staff, remember Kevin Mitnick.
"Common sense will be the death of us all"
PHP? It's been my impression that right there you have identified one of the main security problems with your system.
FWIW, any rapid changeover is going to introduce its own costs and problems, but it is possible to write secure software which will generally pay for itself over time. Just not in the next quarter, or probably the next year. And you need to do decent Q/A testing before releasing the software. You still won't catch everything, but with the right design exploits won't propagate from module to module.
The real problem is trying to change too much too quickly and without sufficient Q/A. Doing that will save you money over the long term, but not over the short term, and it will mean that you don't adopt the latest glitz very quickly...and often not at all. So your image, as well as your actuality, won't be "cutting edge" but rather "solid and reliable". There are reasons the "cutting edge" is frequently called the "bleeding edge".
I think we've pushed this "anyone can grow up to be president" thing too far.
Do we know anything about what was "lax" at yahoo? I certainly doubt that the lawyers involved in this have the slightest clue if there was any negligence at all involved. Their calculus is "wow, millions of accounts compromised. Let's go class action!
And then I read through the comments here, and there is indignation at such weak security and lax procedures and they shouldn't just be sued they should all be taken out and shot and big corporations are teh evil!!
What we do know is that the hackers targeting the company were "state sponsored". That means that the equivalent of the NSA targeted Yahoo for penetration.
Does Slashdot really think that China's Ministry of State Security doesn't have the resources to hack into your server? Or the Russian FSB? You really don't think they have the resources to penetrate competently implemented security, particularly when an enterprise comprises tens of thousands of people and hundreds of thousands of devices?
For all I know, Yahoo had an intern drive a box of backup tapes with all of the account info unencrypted to the dump and that's how they got hacked. But somehow I think it was a little more sophisticated than that. And my first thought certainly wouldn't be gross negligence.
And I'm pretty sure the lawyers don't have the slightest bit of evidence that it was gross negligence at this point. They just see the size of the whale, and they'll seek to prove their case later. Or just make enough noise to get a big pile of cash to go away.
If they really had something, I'd feel differently. But somehow I doubt they have anything at all at this point
Sorry, can't edit as an AP.
Well.
The prosecution attorneys will have there hands full trying to convict 10,000 Idiots of Negligence. And the TOP IDIOT Meyers will still get a whopping Pay Day she does not have any right to. That IS the Valley Way.
Ha ha
When I first heard about the attack, my reaction was "Yeah, big surprise, fortunately I don't have any real accounts over there, just john-doe accounts for websites that insist on making you give them an email address to subscribe." Then a couple of things happened:
- My spam filter trapped a "From: Yahoo Subject: We've been hacked, change your password" message. Yeah, right, I get those all the time. - I looked at it, and oops, it wasn't obviously fake! - Oh, right, I did have a sort of real Yahoo account from back when people used YahooGroups to do mailing lists...