In a blow to Yahoo, a federal judge has ruled that the company must face a host of claims by consumers who are suing over a series of data breaches that occurred between 2013 and 2016.
The ruling, issued by U.S. District Court Judge Lucy Koh in San Jose, grows out of revelations that Yahoo not only suffered three data breaches that appear to have affected 3 billion users, but didn't inform users about the incidents until years after the fact. Yahoo has said says it didn't know the 2013 data breach -- the largest of the three incidents --until December of 2016, shortly before it notified people.
Last August, Koh ruled that the consumers could proceed with some of their claims -- including allegations that Yahoo violated California's law against unfair competition and broke its contract with users -- but she dismissed other allegations. At the time, she rejected Yahoo's argument that consumers didn't suffer any concrete injury, and therefore lacked "standing" to proceed with their lawsuit.
Koh's August order allowed the consumers to flesh out several of the dismissed claims and bring them again. The consumers did so last year.
Yahoo again asked Koh to throw out those claims, arguing in papers filed this January that the consumers' allegations consisted of "broad generalizations, legal conclusions, and threadbare assertions."
Koh's new ruling dismisses some claims, but allows the consumers to proceed with others, including that Yahoo fraudulently deceived consumers by concealing the data breaches. She specifically noted that the consumers alleged that they would have "taken measures to protect themselves,” had they been told about the hacking incidents.
In 2013, hackers stole data -- including, in some cases, names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers associated with an estimated 3 billion Yahoo accounts. Yahoo didn't disclose that breach until December of 2016.
In 2014, a separate data breach resulted in the theft of similar information associated with 500 million accounts; the company disclosed that breach in September of 2016. And in February of 2017, Yahoo announced yet a third attack in which hackers gained access to users' passwords by forging cookies.