If you were affected by the absolutely humongous Yahoo data breaches in recent years -- and given they were so damn big, there's a decent chance you were -- you may be in luck. A judge just paved the way for affected users to sue the tech giant.
U.S. District Judge Lucy Koh in San Jose, California made the ruling on Wednesday in a 93-page decision, declaring that affected victims certainly did have a right to go after Yahoo because, “All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information."
The ruling relates to the breaches that hit Yahoo between 2013 and 2016, affecting hundreds of millions of users, breaches that the company was incredibly slow to confirm and publicly report, leaving those users vulnerable to theft and fraud.
At this point, there have been enough breaches and Yahoo's been so slow to fess up that it's understandable if you're a little confused, so here's a brief run-down:
August 2013: More than 1 billion accounts were affected by a data breach that it didn't fully disclose until over three years later in December 2016. The main concern from the breach was that names, email addresses, phone numbers, dates of birth, MD5-hashed passwords (a form of encryption now widely considered insecure), and security question answers were exposed.
Late 2014: Though this breach that affected 500 million users happened after the 2013 hack, it was actually admitted before the company revealed the larger breach, which may account for the messy timeline. The information exposed in this leak was similar to the 2013 leak, i.e. no payment or bank account information was believed to be accessed. It was actually in investigating this breach that Yahoo apparently "discovered" the 2013 breach, too.
2015-2016: Another round of data breaches occurred throughout 2015 and 2016, according to a December 2016 statement by Yahoo. At the time, Yahoo said it believed the hack was committed by the same "state-sponsored hacker" who perpetrated the big 2014 breach. The perp used, according to the company, "forged cookies" to get into accounts without having to use a password.
I mean... yeah, that's bad.
You likely read tons of stories on what you should do if you were a victim of one of these breaches and, now, it seems Justice Koh thinks filing a lawsuit is also appropriate.
This is more bad news for Verizon, which purchased Yahoo in early 2017 after getting a small discount for all those data breaches. Verizon faced its own data breach in the summer of 2017 when millions of its customers had information exposed on an unsecured server.
So, in a sense, the Verizon/Yahoo purchase made perfect sense, like two tire fires joining forces to become one gigantic tire fire that's now gonna cost that fire a whole lotta money to all the people it burned.
