Yahoo was hit with a wave of class-action suits late last week, after it revealed that hackers stole information associated with half a billion accounts.
By Saturday, at least four separate complaints had been filed in two different federal courts -- the Northern District of California and the Southern District of Illinois.
The cases follow Yahoo's announcement on Thursday that it suffered a massive data breach in late 2014. Chief Information Security Officer Bob Lord stated that hackers may have been able to obtain names, email addresses, telephone numbers, birth dates, security questions and passwords associated with 500,000 accounts. Most of the passwords were encrypted, according to Yahoo. The company says it believes a "state-sponsored actor" is responsible for the attack.
The lawsuits all allege that Yahoo failed to adequately protect users' information. Some complaints also include allegations related to the time lag between the data breach and Yahoo's disclosure.
"Despite the fact that the attack took place in late 2014, Yahoo was so grossly negligent in securing its users’ personal information that it says that it did not even discover the incident until the summer of 2016," Ronald Schwartz, a Yahoo user who lives in New York, alleges in papers filed in San Jose, California.
North Carolina resident Maria Sventek, who also filed a case in the Northern District of California, alleges that the lag time prevented users "from protecting themselves from the security breach."
Lord said last week that Yahoo doesn't believe that hackers obtained information about financial accounts.
But some of the plaintiffs argue that they're now at risk of the type of identity theft that could ultimately lead to a financial loss.
"Biographical data is ... highly sought after by data thieves," New York resident Edward McMahon alleges in papers filed in the Northern District of California. “One form of identity theft, branded 'synthetic identity theft,' occurs when thieves create new identities by combining real and fake identifying information and then use those identities to open new accounts."
It's not clear whether judges will allow these cases to move forward. In the past, some judges have thrown out lawsuits over data breaches, ruling that consumers can't sue based on their fear of future economic harm.
But last year the influential 7th Circuit Court of Appeals reinstated a class-action lawsuit against Neiman Marcus, which suffered a data breach in 2013. The appellate judges said that customers of the department store "should not have to wait until hackers commit identity theft or credit card fraud" before proceeding in court. In that case, unlike Yahoo's situation, hackers appeared to have stolen credit card information.