US judge says Yahoo data breach victims have the right to sue

The victims have to deal with the risk of identity theft, after all.

J. Countess via Getty Images

Verizon will now have to deal with any lawsuit filed by victims of the massive breaches Yahoo suffered between 2013 and 2016. US District Judge Lucy Koh has tossed out Yahoo's argument that the people affected by the cyberattacks don't have the standing to sue. While many plaintiffs' cases were dismissed, Koh has ruled that they can change their complaints and pursue some kind of breach of contract or unfair competition claims. According to Reuters, the judge wrote in the 93-page ruling that she came to that decision because all plaintiffs "have alleged a risk of future identity theft."

Further, they had to deal with changing all their passwords and securing new identification information to make sure nobody can steal their identities. When the breach was first announced, Yahoo said customers' "names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers" were stolen. That's why some of the plaintiffs even spent money on identity theft protection services.

If you'll recall, Yahoo confirmed last year that hackers stole data linked to over a billion accounts. Worse, that happened way back in 2013 -- it took the company three years to admit to its users that their information was at risk. A second breach that hit the company in 2014 affected 500 million accounts, while the third major breach happened sometime in 2015 and 2016. The Department of Justice indicted four Russians over the cyber intrusions earlier this year: two of them worked for Russia's Foreign Intelligence Service, while the other two were hired to help them out.

Since Yahoo admitted the security breaches in the middle of the Verizon acquisition, it had an effect on the carrier's offer. Big Red ended up buying the company for $4.48 billion, down hundreds of millions from the original $4.83 billion it was going to pay.

Full disclosure: Engadget also operates under Verizon's Oath umbrella.