Judge Rules Yahoo Data Breach Victims Can Sue the Company
AU.S. federal judge has ruled that victims affected by Yahoo’s various data breaches can sue the tech firm.
U.S. District Judge Lucy Koh ruled on Friday night that a class action lawsuit against Yahoo can move forward. Verizon Communications, which purchased Yahoo’s internet business last June, had asked the court to have many of the suit’s claims dismissed, Reuters reported.
While Koh dismissed some claims, the judge denied the dismissal of “many” others, including one for negligence and another for breach of contract.
The Sunnyvale-based firm has been accused of being slow to announce three separate data breaches that occurred between 2013 and 2016. Affected users named in the suit have claimed that those repeat incidents and the delayed disclosure forced them to spend additional time and funds to secure their accounts, as well as exposing them to identity theft.
Over the last year, news of Yahoo’s data breaches got progressively worse. One of the first breaches announced was said to have affected about 500 million Yahoo user accounts. But last October, Yahoo admitted that another breach in August 2013 likely affected every single Yahoo account at the time. All in all, that’s about three billion accounts.
That includes Yahoo email accounts, as well as subsidiary services like Tumblr, Fantasy and Flickr. The breach likely compromised email addresses, names and passwords — but, in perhaps the only twist of good luck, probably not any sensitive financial information. In addition to stolen credentials, the hackers were able to access Yahoo’s internal systems. That allowed them to create fraudulent cookies and manipulate results made in Yahoo’s search engine.
In the wake of announcing the breaches, Yahoo sent emails to impacted users forcing password changes and voiding unencrypted security questions.
At least some of the breaches were believed to have been sponsored by a state actor. Reuters reported that, last March, U.S. prosecutors charged four individuals in connection to one of the breaches — including two Russian intelligence agents and a Canadian citizen.
The Canadian, Karim Baratov, pleaded guilty to identity theft and conspiracy charges in November, while the other three remain at large in Russia, Reuters reported.