Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Federal Judge: Yahoo Breach Victims Can Sue

Plaintiffs Claim Spam and Card Fraud Resulted From Breach of 3 Billion Accounts
Federal Judge: Yahoo Breach Victims Can Sue
Yahoo's headquarters in Sunnyvale, California.

A federal judge in California has largely rejected a motion by Verizon to dismiss a class-action lawsuit brought by victims of three Yahoo data breaches. The breaches appear to have compromised every Yahoo user's personal details at least once.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

In the defendant's favor, however, Judge Lucy Koh in her Friday ruling also denied several claims by the plaintiffs that Verizon had challenged, including deceit by concealment, negligence and breach of contract.

Verizon closed its acquisition of Yahoo last June for $4.48 billion. Under the terms of the deal, Yahoo agreed to shoulder half of the costs related to government investigations and third-party litigation over its breaches. Yahoo also bears full liability for any shareholder lawsuits and faces a probe by the U.S. Securities and Exchange Commission.

The search giant reportedly did not carry cyber insurance.

Plaintiffs Allege Poor Security Practices

The class-action lawsuit contends that Yahoo failed to adequately protect user accounts and to disclose its inadequate information security practices. Plaintiffs have also accused the company of waiting too long to disclose the breaches to users, which prevented them from taking remedial action to prevent their personal information from being abused.

Some plaintiffs have also alleged that they suffered losses by having their personal information get exposed, resulting in fraudulent charges appearing on their credit cards and subjecting them to an increase in spam.

Koh's March 8 ruling on Verizon's motion to dismiss.

The class-action lawsuit was first filed on Dec. 7, 2016. In September of that year, Yahoo made its first breach disclosure, saying 500 million accounts were stolen in late 2014. In December 2016, it upped the estimated victims to 1 billion and said that attackers had also forged cookies, allowing them to access the accounts.

In August 2017, Koh rejected a motion by Verizon to dismiss the class-action complaint. Then Yahoo made yet another breach disclosure in October 2017, saying that nearly every one of its 3 billion users' details were exposed in the 2013 breach (see Yahoo: 3 Billion Accounts Breached in 2013).

After that disclosure, Koh granted the plaintiffs time to amend their complaint. That was followed by Verizon in February filing another motion to dismiss the case, which Koh addressed in her Friday ruling.

Among many contentions, Verizon sought to dismiss one plaintiff claim, which seeks punitive damages, on the grounds that the complaint does not allege that a specific officer or director committed "oppressive, fraudulent or malicious acts."

But the judge rejected the contention, writing that "plaintiffs satisfy that standard by focusing on particular conduct by the CISO."

In addition, "these circumstances make plausible plaintiffs' claim that high-ranking executives and managers at Yahoo, including its CISO, committed oppressive, fraudulent, or malicious conduct," Koh writes.

Verizon officials could not be immediately reached for comment on Koh's ruling.

Yahoo Blamed Nation-State Hackers

Former Yahoo CEO Marissa Mayer told a Congressional committee last November that it was tough for any corporation to defend against nation-state attackers (see Former Yahoo CEO: Stronger Defense Couldn't Stop Breaches).

"Even robust defenses ... aren't sufficient to protect against the state-sponsored attack, especially when they're extremely sophisticated and persistent," Mayer testified.

In March 2017, the U.S. Department of Justice indicted two Russian FSB agents and two other freelance hackers for attacks against Google and Yahoo. One of the men, Karim Baratov, was extradited to the U.S. and pleaded guilty to hacking Gmail and Yandex accounts. Baratov, however, was not accused of any involvement in the Yahoo breaches.

The indictment alleges that one of the four men, Alexsey Belan, mined Yahoo email accounts for credit card and gift card numbers. Belan, who is now believed to be living in Russia, has also been accused of minting forged cookies that gave him access to 30 million Yahoo email accounts. Those accounts were then allegedly targeted with spam (see Russian Spies, Two Others, Indicted in Yahoo Hack).

Yahoo said in December 2016 that attackers reverse-engineered the company's cookies, the small data files that allow persistent access to account without re-entering a password. That allowed the attackers access to account without needing to know the passwords.

Yahoo's first breach disclosure surfaced while the company was in acquisition negotiations with Verizon. The worries over future breach-related costs impacted the price. While Verizon originally offered $4.83 billion for Yahoo, which is now part of its Oath subsidiary, the final price was $350 million lower, owing to a discount Verizon negotiated after Yahoo's massive breaches began to come to light.

Executive Editor Mathew Schwartz also contributed to this story.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.