Victims of the massive data breaches that exposed 3 billion email accounts will be able to sue Yahoo after a judge ruled that users may have acted differently had the company been more forthcoming about the hacks.
Yahoo’s parent company, Verizon Communications, had attempted to have many claims thrown out, saying that company was the target of “relentless criminal attacks,” Reuters first reported.
U.S. District Court Judge Lucy Koh did not accept Verizon’s reasoning, instead noting the plaintiffs' allegation that had Yahoo “disclosed the security weaknesses,” they would have acted differently toward their data on the site.
A breach of 1 billion Yahoo accounts was first disclosed in 2016 as Verizon sought to buy the internet company, a finding that ended up shaving hundreds of millions off the selling price. It was called “one of the most audacious hacks of all time.”
In October 2017, the company then amended the number of affected accounts to 3 billion, suggesting it to be by far the biggest data breach of all time.
The plaintiffs in the case alleged that the hack led to their information being leaked and subsequently used for fraudulent activities. They alleged that Yahoo knew about security vulnerabilities back in 2012 and about a 2014 hack as it occurred.
“Plaintiffs explain that, had they known about the inadequacy of these security measures, they ‘would have taken measures to protect themselves.’” Koh writes, saying that they had sufficiently shown that they would have acted differently had Yahoo disclosed the issues.
A message from Newsweek asking Verizon for comment on the ruling did not receive an immediate reply.
In March 2017, the U.S. Justice Department indicted four people in connection with the Yahoo hacks, two of whom were alleged Russian spies. Yahoo had previously said that “state-sponsored actors” were behind the breaches.
“Silicon Valley’s computer infrastructure provides the means by which people around the world communicate with each other in their business and personal lives,” U.S. Attorney for the Northern District of California Brian Stretch said at the time, “The privacy and security of those communications must be governed by the rule of law, not by the whim of criminal hackers and those who employ them. People rightly expect that their communications through Silicon Valley internet providers will remain private, unless lawful authority provides otherwise.”
More from Newsweek