• by Ray Schultz , Columnist, October 16, 2017

U.S. Judge Lucy H. Koh has for months presided over a class-action suit over Yahoo’s data breach with a calm manner. But even she seemed rattled by the news that all three billion accounts were affected. 

Last week, she said this revelation has sent the case “back to square one,” and expressed frustration with Yahoo for its sharing of information, according to Law 360. She also postponed the submission deadline to give the parties time absorb the new information. 

This is good news for the plaintiffs, and for Gmail and the other email service providers. The buzzards are already circling.

Take this exchange in the Minneapolis Star-Tribune: A consumer wrote in saying that Yahoo wouldn’t recognize his password. Steve Alexander replied:

“The fact that your account was hacked isn’t surprising,” And he repeated that all three billion accounts were affected.

“As a result,” he continued, “everyone who had a Yahoo account for at least four years is vulnerable, and should change his or her password immediately. He also gave some advice on getting past the security questions.

But here’s his real message:

“If you can’t regain access to your existing Yahoo account, I suggest that you don’t open a new one.”

He added: "While Yahoo is now under new management, it’s unclear whether all the technical flaws in Yahoo’s security have been discovered and fixed. Instead, I suggest that you use another large email provider, such as Google’s Gmail or Microsoft’s Outlook.com."

Kayla Matthews also had some sharp words for Yahoo in The Technews.

“You should be nervous,” Matthews advised readers. “You should be scared.”

Here’s why: “First, trust ends up damaged,” Matthews wrote. “If you’re going to put faith in a company to keep your information safe, you must obtain a certain amount of trust with them. Faith ends up being broken, and that severs many relationships between people and company.

"The second thing that needs to be considered is the secrecy taken by the company. When reported in 2016, the news scared a lot of people. When you get lied to, it hurts. And it hurts a whole lot more when money becomes involved and it goes public."

Indeed, these comments sound strangely like some of the charges in the class action suit against Yahoo. As Judge Koh observed in August when dismissing some claims in the case and keeping others, the plaintiffs charge that Yahoo should have modified its systems and alerted users of the breaches in a more timely way.

Koh also noted then that after the 2013 breach was revealed last December, “plaintiffs in several lawsuits that had been filed regarding the 2014 Data Breach then amended their complaints to include claims regarding the 2013 Breach.”

It goes on: ”Additionally, more lawsuits were filed in the Northern District of California regarding the 2013 Breach and the 2014 Breach. Again, these lawsuits generally alleged that Yahoo failed to adequately protect its users’ accounts, that Yahoo failed to disclose its inadequate data security practices, and that Yahoo failed to timely notify users of the data breach.”

No one can say how these cases will end. But it’s no wonder that JD Supra wrote that given the numbers, this could end up as “the largest plaintiff class ever.”