Plaintiffs suing Yahoo for failing to protect all of the company’s 3 billion users can move forward with the majority of their case, a federal judge in California ruled on Friday.
U.S. District Judge Lucy Koh denied in part a motion by Verizon, which owns Yahoo, to dismiss the case. The plaintiffs are claiming that Yahoo was too slow to correct security vulnerabilities, as well as disclose three data breaches between 2013 and 2016.
Since Yahoo’s breaches affected virtually every user, the plaintiffs are seeking class certification.
“Plaintiffs explain that, had they known about the inadequacy of these security measures, they ‘would have taken measures to protect themselves,'” Koh writes in the ruling. “Plaintiffs’ allegations are sufficient to show that they would have behaved differently had Defendants disclosed the security weaknesses of the Yahoo Mail system.”
The plaintiffs argue that the breaches have put them at risk of identity theft and forced them to spend time and money mitigating that risk. As a result, they say they would have chosen a different email provider had they been aware of Yahoo’s risks.
Yahoo disclosed the 2013 breach, the largest one, in December 2016, saying that 1 billion user credentials were compromised. The company updated that assessment in October 2017, this time saying that all 3 billion accounts were impacted by the hack.
In November, Kazakhstan-born Canadian citizen Karim Baratov pleaded guilty to helping Russian spies in Yahoo’s 2014 breach, in which 500 million accounts were compromised.
You can read the judge’s motion below: