Yahoo Class Action Says Premium Subscribers At Risk For Identity Theft

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

A Yahoo premium subscriber has filed a proposed class action lawsuit against the internet giant, saying the company failed to properly protect his and other subscribers’ sensitive data during two recent massive data breaches.

Last week, Yahoo confirmed that 1 billion Yahoo user accounts were compromised by hackers in August 2013, in an incident likely separate from the big data breach that the company disclosed in September.

In this recent data breach involving 1 billion users, Yahoo said “stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.”

Bob Lord, chief information security officer (CISO) at Yahoo, gave details of the data breach in a Dec. 14 blog post, and stated the hackers have not been identified, but it is believe the cyber thieves may have used “forged cookies” to access user accounts without needing to know their password.

“We believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft,” Lord said.

The second data breach incident was uncovered after U.S. law enforcers shared files with the company that a third-party claimed contained Yahoo user data.

For more than a decade, plaintiff Dr. Gerald Cleaver, a Professor of Physics and the Graduate Program Director of the Department of Physics at Baylor University, says he paid $19.99 per month for a premium Yahoo service.

In order to become a premium subscriber, Yahoo requires users to provide substantial amounts of sensitive personal information. In August, Dr. Cleaver switched to the free service but still maintains his Yahoo Mail account.

Dr. Cleaver received notification from Yahoo that his data was stolen in both the September and more recent December data breaches. He filed the lawsuit on grounds that his stolen personal data is now “available on the dark web,” and he is at risk for identity theft.

The plaintiff also contends that he suffered contract damages as a result of Yahoo’s breach of its contractual promise to provide adequate security data.

“All affected Yahoo customers are harmed by the data breach because of the serious invasion of their privacy,” Cleaver said. “Furthermore, the stolen data has actual monetary value (as proven by the existence of the black market) and that value properly belongs to the customers.”

Dr. Cleaver also claims that affected Yahoo customers are further at risk of identity theft because the stolen data is so sensitive, often used to gain access to other websites, such as banks and social media websites, and was either not encrypted or easily cracked.

According to the complaint, Yahoo recognized the seriousness of the risk and recommended that affected customers place an expensive “security freeze” on their credit files. However, Yahoo did not offer to pay for the security freeze, which can cost between $5 and $20 per freeze.

The lawsuit further alleges that Yahoo failed on more than one occasion to invest in adequate data security. Specifically, although Yahoo operates across three separate platforms (search – Yahoo Search, communications – Yahoo Mail, and Yahoo Messenger, and digital content – Yahoo News, Yahoo Sports, Yahoo Finance, and Tumblr), all products share a single user database.

One Yahoo executive called these the “core crown jewels of Yahoo customer credentials” yet Yahoo chose to put them in a single database, according to the proposed class action lawsuit.

What’s worse, the lawsuit contends, is that for years Yahoo reportedly rejected the advice of its own security team regarding strengthening data protection, to save money.

“This refusal to invest persisted even after a well-publicized breach of 400,000 accounts in 2012, and another breach of 22 million accounts in Japan in 2013,” the class action states.

Dr. Cleaver is seeking to represent a nationwide Class of Yahoo customers as well as a premium subscriber subclass. The proposed premium subscriber subclass has suffered additional out of pocket harm because they paid monthly premiums to Yahoo in exchange for various services, of which “proper data security was either an explicit or implicit term of the contract.”

The plaintiff is requesting injunctive relief, declaratory relief, and statutory damages.

This latest data breach comes several months after Yahoo revealed details of another historic attack on its systems, dating back to 2014, which led to the personal details of at least 500 million users becoming exposed.

This lawsuit is not the only case Yahoo is facing after the latest data breach was announced. A similar class action lawsuit was filed last week by plaintiff Amy Vail, also in California federal court.

Dr. Cleaver is represented by Laurence D. King, Linda M. Fong, Matthew B. George, Mario M. Choi, Jeffrey Campisi and David A. Straite of Kaplan Fox & Kilsheimer LLP.

The Yahoo Premium Subscriber Data Breach Class Action Lawsuit is Dr. Gerald Cleaver v. Yahoo Inc., Case No. 5:16-cv-7264, in the U.S. District Court for the Northern District of California.

UPDATE: On Oct. 3, 2017, Yahoo announced that the personal private information of all 3 billion Yahoo users was exposed in a 2013 data hack.