Yahoo shareholders file lawsuit over company’s massive data breaches

On top of multiple consumer lawsuits, Yahoo now faces a shareholder lawsuit over its cybersecurity catastrophes.

A Yahoo shareholder launched a class action lawsuit this week accusing the ailing tech giant of lying about and “recklessly” failing to disclose cybersecurity problems and massive data breaches, thereby violating federal securities laws and costing shareholders “significant losses and damages.”

Yahoo suffered two massive breaches in 2016 hitting 1.5 billion user accounts across both incidents. The latest breach of over 1 billion user accounts, revealed in December, is the biggest ever reported. The previous hack, disclosed in September, hit over 500 million users and was discovered internally in 2014 but then kept secret for two years.

Additionally, a Reuters report found Yahoo allowed U.S. intelligence agencies to search emails sent to its customers via a special program built in secret by company engineers. A number of news publications are now involved in Freedom of Information Act lawsuits against the FBI and Justice Department in search of more information regarding the program.

The Securities and Exchange Commission is currently investigating whether the Yahoo breaches should have been reported earlier to investors. The SEC requires firms to disclose  cybersecurity risks immediately to investors. Yahoo has yet to explain why it took two years to disclose the 2014 breach. The investigation is reportedly still in the early stages. If SEC takes action, it could be a landmark move defining cybersecurity disclosure laws moving forward.


The new lawsuit joins an avalanche of customer lawsuits Yahoo has faced since the middle of last year. Plaintiffs in those cases are seeking millions of dollars.

Here’s the meat of the complaint:

Throughout the Class Period, Defendants made materially false and misleading statements regarding the Company’s business, operational and compliance policies. Specifically, Defendants made false and/or misleading statements and/or failed to disclose that:

(i) Yahoo failed to encrypt its users’ personal information and/or failed to encrypt its users’ personal data with an up-todate and secure encryption scheme;

(ii) consequently, sensitive personal account information from more than 1 billion users was vulnerable to theft;

(iii) a data breach resulting in the theft of personal user data would foreseeably cause a significant drop in user engagement with Yahoo’s websites and services; and

(iv) as a result, Yahoo’s public statements were materially false and misleading at all relevant times.

On September 22, 2016, Yahoo disclosed that hackers had stolen information in late 2014 on more than 500 million accounts. Following the breach, Yahoo executives advised investors that the breach was not material, in part because the Company had not required to reset their passwords.

It’s a dramatic 34-page filing with one section titled “The Truth Begins to Emerge” criticizing the company’s failure to adequately encrypt some of the data stolen in the breaches. News that the breaches could cut billions of dollars off of a sale to Verizon figures prominently into the lawsuit.

Neither the plantiff’s lawyers nor Yahoo responded to requests for comment on Wednesday.


[documentcloud url=”” sidebar=false text=false pdf=false]

Patrick Howell O'Neill

Written by Patrick Howell O'Neill

Patrick Howell O’Neill is a cybersecurity reporter for CyberScoop based in San Francisco.

Latest Podcasts