In a blow to Yahoo, a federal judge has
ruled that the company must face a host of claims by consumers who are suing over a series of data breaches that occurred between 2013 and 2016.
The ruling, issued by U.S. District Court Judge
Lucy Koh in San Jose, grows out of revelations that Yahoo not only suffered three data breaches that appear to have affected 3 billion users, but didn't inform users about the incidents until years
after the fact. Yahoo has said says it didn't know the 2013 data breach -- the largest of the three incidents --until December of 2016, shortly before it notified people.
Last August, Koh ruled that the consumers could proceed with some of their claims -- including
allegations that Yahoo violated California's law against unfair competition and broke its contract with users -- but she dismissed other allegations. At the time, she rejected Yahoo's argument that
consumers didn't suffer any concrete injury, and therefore lacked "standing" to proceed with their lawsuit.
Koh's August order allowed the consumers to flesh out several of the dismissed
claims and bring them again. The consumers did so last year.
Yahoo again asked Koh to throw out those claims, arguing in papers filed this January that the consumers' allegations consisted of
"broad generalizations, legal conclusions, and threadbare assertions."
Koh's new ruling dismisses some claims, but allows the consumers to proceed with others, including that Yahoo
fraudulently deceived consumers by concealing the data breaches. She specifically noted that the consumers alleged that they would have "taken measures to protect themselves,” had they been told
about the hacking incidents.
In 2013, hackers stole data -- including, in some cases, names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and
answers associated with an estimated 3 billion Yahoo accounts. Yahoo didn't disclose that breach until December of 2016.
In 2014, a separate data breach resulted in the theft of similar
information associated with 500 million accounts; the company disclosed that breach in September of 2016. And in February of 2017, Yahoo announced yet a third attack in which hackers gained access to users' passwords by forging cookies.