Yahoo has been ordered by a federal judge to face much of a lawsuit in the United States claiming that the personal information of all 3 billion users was compromised in a series of data breaches.
In a decision on Friday night, U.S. District Judge Lucy Koh in San Jose, California rejected a bid by Verizon Communications which bought Yahoo's Internet business last June, to dismiss many claims, including for negligence and breach of contract.
Koh dismissed some other claims. She had previously denied Yahoo's bid to dismiss some unfair competition claims.
Yahoo was accused of being too slow to disclose three data breaches that occurred from 2013 and 2016, increasing users' risk of identity theft and requiring them to spend money on credit freeze, monitoring and other protection services.
The breaches were revealed after New York-based Verizon agreed to buy Yahoo's Internet business, and prompted a cut in the purchase price to about $4.5 billion.
A Verizon spokesman had no immediate comment on Monday. A lawyer for the plaintiffs did not immediately respond to requests for comment.
The plaintiffs amended their complaint after Yahoo last October revealed that the 2013 breach affected all 3 billion users, tripling its earlier estimate.
Koh said the amended complaint highlighted the importance of security in the plaintiffs' decision to use Yahoo.
"Plaintiffs' allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System," Koh wrote.
She also said the plaintiffs could try to show that liability limits in Yahoo's terms of service were "unconscionable," given the allegations that Yahoo knew its security was deficient but did little.
In seeking a dismissal, Yahoo said it has long been the target of "relentless criminal attacks," and the plaintiffs' "20/20 hindsight" did not cast doubt on its "unending" efforts to thwart "constantly evolving security threats."
Last March, U.S. prosecutors charged two Russian intelligence agents and two hackers in connection with one of the Yahoo breaches.
One accused hacker, Karim Baratov, a Canadian born in Kazakhstan, pleaded guilty in November to aggravated identity theft and conspiracy charges. The other defendants remained at large in Russia.
The case is In re: Yahoo Inc Customer Data Security Breach Litigation, U.S. District Court, Northern District of California, No. 16-md-02752.
Reporting by Jonathan Stempel in New York; editing by Grant McCool.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.