Judge Says Yahoo Still On The Hook For Multiple Claims Related To Three Billion Compromised Email Accounts

from the if-you-don't-fix-the-front,-you'll-be-paying-on-the-back-end dept

A federal judge is going to let a bunch of people keep suing Yahoo over its three-year run of continual compromise. Yahoo had hoped to get the class action suit tossed, stating that it had engaged in “unending” efforts to thwart attacks, but apparently it just wasn’t good enough to prevent every single one of its three billion email accounts from falling into the hands of hackers.

In a decision on Friday night, U.S. District Judge Lucy Koh in San Jose, California rejected a bid by Verizon Communications Inc, which bought Yahoo’s Internet business last June, to dismiss many claims, including for negligence and breach of contract.

Koh dismissed some other claims. She had previously denied Yahoo’s bid to dismiss some unfair competition claims.

Yahoo was accused of being too slow to disclose three data breaches that occurred from 2013 and 2016, increasing users’ risk of identity theft and requiring them to spend money on credit freeze, monitoring and other protection services.

Three billion is a lot of potential class-mates, even though many Yahoos users had moved on to more viable/useful services long before the breach began. That being said, password reuse is common. So is the tendency to have the same user name in place across several platforms. And, needless to say, personally identifiable info stays the same, no matter what platform Yahoo’s former users have strayed to.

The complaint — amended again after news broke that Yahoo’s entire user base had been compromised — notes that Yahoo’s “unending” efforts were routinely terrible, if not practically nonexistent. The suit points out multiple Yahoo hosts were compromised in 2008 and 2009. The next year, Google notified Yahoo that its systems were being used to attack Google. And in 2012, Yahoo suffered two breaches, including one stemming from a SQL injection attack that revealed the company unendingly stored passwords in plain text.

A couple of claims have been dismissed but the most damaging — negligence — remains. The plaintiffs so far have presented plenty of evidence that Yahoo handled users’ PII extremely carelessly. From the decision [PDF]:

First, the contract entered into between the parties related to email services for Plaintiffs. Plaintiffs were required to turn over their PII to Defendants and did so with the understanding that Defendants would adequately protect Plaintiffs’ PII and inform Plaintiffs of breaches. Second, it was plainly foreseeable that Plaintiffs would suffer injury if Defendants did not adequately protect the PII. Third, the FAC asserts that hackers were able to gain access to the PII and that Defendants did not promptly notify Plaintiffs, thereby causing injury to Plaintiffs. Fourth, the injury was allegedly suffered exactly because Defendants provided inadequate security and knew that their system was insufficient. Fifth, Defendants “knew their data security was inadequate” and that “they [did not] have the tools to detect and document intrusions or exfiltration of PII.” “Defendants are morally culpable, given their repeated security breaches, wholly inadequate safeguards, and refusal to notify Plaintiffs . . . of breaches or security vulnerabilities.” Id. Sixth, and finally, Defendants’ concealment of their knowledge and failure to adequately protect Plaintiffs’ PII implicates the consumer data protection concerns expressed in California statutes, such as the CRA and CLRA.

Yahoo also has to keep fighting “deceit by concealment” allegations stemming from its delayed reporting of known security breaches.

Defendants also criticize Plaintiffs for continuing to use Yahoo Mail and taking no remedial actions after learning of Defendants’ allegedly inadequate security. However, Defendants fail to acknowledge that Defendants’ delayed disclosures are likely to have harmed Plaintiffs in the interim. Plaintiffs did not even know that they should take any remedial actions during the periods of Defendants’ delayed disclosures. Moreover, contrary to Defendants’ suggestion, the actions that Plaintiffs took after the fact do not conclusively determine what actions they would have taken if they had been alerted before the fact. The FAC provides at least one good reason why Plaintiffs may not have ceased their use of Yahoo Mail after the fact—namely, Plaintiffs have already established their “digital identities around Yahoo Mail.” Plaintiffs can consistently plead that they took minimal or no action after learning of the security defects but that they “would have taken measures to protect themselves” if they had been informed beforehand.

In total, Yahoo is still on the hook for 9 of 15 allegations related to the massive security breach. And it has no one to blame but itself if new owner Verizon ends up shelling out for damages. Yahoo’s terrible security had been a problem for a half-decade before the 2013 breach. Three years later, it became clear everything Yahoo had collected on three billion email accounts was now in the hands of other people. This long line of breaches show Yahoo was very interested in increasing its user base, but much less motivated to protect their info.

Filed Under: , , , , , , ,
Companies: verizon, yahoo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Judge Says Yahoo Still On The Hook For Multiple Claims Related To Three Billion Compromised Email Accounts”

Subscribe: RSS Leave a comment
That Anonymous Coward (profile) says:

A couple of yahoo accounts I had got the state hackers got you messages, so I closed everything down & moved on.

I’d totally join the class but after the lawyer fees and will be offered will be like a 1 month free trial of Verizon for 10 minutes, 10 texts, 10 MB – Value $5000!

It is a pity that when companies do shitty things like this they never hurt. They knew, they hid it, & kept chugging along.

An Onymous Coward (profile) says:

Re: Re:

All of this was public info before Verizon bought Yahoo. It stalled their deal for a while and they ended up getting a big discount on the purchase price as a result. In theory they already offset the costs of this litigation on the assumption that it would cost $billions. That reduction in purchase price should be considered by the court as an acknowledgement of their fiscal responsibility to the class members.

Anonymous Coward says:

Re: out_of_the_blue isn't going to like this

Nah, he’ll love this. It’ll go something like:

“See! I told you all this would happen! But no, you damn corporatists wouldn’t listen. Corporations should be shot and made illegal! We also need to get rid of any and all regulations I don’t agree with. I hope you’re happy now you suckers! Meanwhile I’m just sitting here laughing at you all.”

Or something like that. Is it sad that I can accurately predict what he’ll say? Bets on how close I’ll be?

Shamed to admit I was a Yahoo "tech" says:

According to the philosophy of commonality and standardization,

the necessity for the total system rationale precludes simplistic determinism. Thus, any associated supporting element affects a significant implementation of the structural design, based on system engineering concepts.

In other words, unavoidable.

Agammamon says:

On the one hand, I sympathize with Yahoo.

On the other – if you can’t keep your user’s (not customers – the ad agencies are the customers) data safe at those numbers then its incumbent on you to either reduce the number of users to a level you can secure and/or let these people know what’s going on and the risks they’re taking.

If I knew Uzbek hackers had access to my Yahoo account I wouldn’t care – all I use it for is commerce spam anyway. There are a lot of people in the same boat – its convenient and we’ve not got anything we’re worried about compromising so we’d keep using the service.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...