Yahoo can't shake a class-action lawsuit stemming from massive data breaches that affected at least one billion account holders, a judge ruled on Wednesday.
U.S. District Court Judge Lucy Koh in San Jose, California rejected Yahoo's argument that the users who are suing didn't suffer any injuries and therefore lack "standing" to proceed.
"All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their [personally identifiable information]," Koh wrote in a 93-page opinion. She added that some of the people who filed suit alleged that they suffered actual misuse of their data, or paid out of pocket to mitigate their risks.
The ruling grew out of recent revelations of data breaches at Yahoo. Last September, Yahoo disclosed that it suffered a massive data breach in late 2014. Chief Information Security Officer Bob Lord said at the time that hackers may have been able to obtain names, email addresses, telephone numbers, birth dates, security questions and passwords associated with 500 million accounts. Most of the passwords were encrypted, according to Yahoo.
In December of last year, Yahoo disclosed that it had also suffered a data breach in 2013, when hackers stole data associated with more than one billion Yahoo accounts. The data taken in the 2013 attack "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords ... and, in some cases, encrypted or unencrypted security questions and answers," the company said.
This February, Yahoo announced yet a third attack in which hackers gained access to users' passwords by forging cookies.
The disclosures prompted numerous lawsuits against Yahoo by users, who alleged that the company failed to adequately protect their data, among other claims.
In the past, some judges have ruled that consumers can't sue based solely on a fear of future economic harm.
But in 2015, the influential 7th Circuit Court of Appeals reinstated a class-action lawsuit against Neiman Marcus, which suffered a data breach in 2013. The appellate judges said that customers of the department store "should not have to wait until hackers commit identity theft or credit card fraud" before proceeding in court. In that case, unlike Yahoo's situation, hackers appeared to have stolen credit card information.