Yahoo Data Breach Lawsuit

Yahoo failed to protect the data of one billion users. Those users will now unite to form the largest class action lawsuit in history, with attorney John Yanchunis as lead counsel.

Yahoo Data Breach Lawsuit


NOTE: We are no longer taking Yahoo data breach cases. If you were impacted by this data breach, you should automatically be a member of the class action lawsuit (but you can opt out if you choose). To learn more, see "How to Join a Data Breach Class Action Lawsuit."


In September 2016, Yahoo announced that 500 million users’ data had been breached in 2014. This information included names, email addresses, dates of birth, phone numbers, passwords, etc.

As if that wasn’t devastating enough, a few months later Yahoo announced that 1 billion users’ information had been stolen in August 2013. Cyber-security experts say the Yahoo breach could trigger a chain reaction in which tens or even hundreds of thousands more accounts are hacked.

Shortly after Yahoo announced the 2014 breach, our attorneys filed a negligence lawsuit against the tech giant for failing to protect and inform consumers. This plaintiff class is expected to number in the hundreds of millions, hailing from all over the globe.

In February 2017, John Yanchunis and Morgan & Morgan beat out four other firms to be named Lead Plaintiffs’ Counsel for the case—the largest class action lawsuit in history.

Read the Order

Yahoo’s Actions Were “Inconceivable”

Mr. Yanchunis has said of the Yahoo data breach fiasco, “It’s inconceivable that Yahoo either failed to detect the breach for two years, or it knew of the breach in 2014 and intentionally disregarded the privacy interests of consumers and breach notification laws by failing to inform consumers of the breach for two years.”

Most states—including California, where the lawsuit was filed—have laws on the books requiring companies to inform consumers of data breaches within 30 days of the breaches’ discovery.

At a press conference held after he was named Lead Counsel, Mr. Yanchunis said the lawsuit will seek stronger cybersecurity measures from Yahoo “to make sure that this never happens again.” Moreover, for those who suffered financial losses as a result of the breach, the lawsuit will seek damages.

Asked how much those damages might total, Mr. Yanchunis said it’s too early to say, but likely in the hundreds of millions of dollars.

“It will be extensive,” he said.

Experience with Data Breaches Was Key

In determining whom to name Lead Counsel for the largest class action ever, Judge Koh weighed the following chief criteria:

  • “Knowledge and experience in prosecuting complex litigation, including class actions, data breach, and/or privacy cases”
  • “Willingness and ability to commit to a time-consuming process”
  • “Ability to work cooperatively and efficiently with others”
  • “Access to sufficient resources to prosecute the litigation in a timely manner”
  • “Commitment to prioritizing the interests of the putative class”

The first criterion, experience, may have clinched the win for Mr. Yanchunis. He and Morgan & Morgan previously litigated two massive data breach cases—the Home Depot Inc. and Target Corp. cases. Those lawsuits were settled for $19 million (Home Depot) and $10 million (Target), respectively.

Congress Wants Answers from Yahoo

Yahoo scheduled a congressional staff meeting on January 31, 2017, in which they would ostensibly provide more details about the breach to members of Congress. But Yahoo canceled the meeting at the last minute, on January 28, prompting a swift rebuke from Congress, namely Senators John Thune (R – SD) and Jerry Moran (R – KS).

Senators Thune and Moran—who head the Committee on Commerce, Science, and Transportation (Thune) and the Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security (Moran), respectively—wrote a letter to Marissa Mayer, CEO of Yahoo, demanding more information. The letter closed with the following five questions:

  • “With respect to both the 2013 and 2014 incidents, how many users do these incidents affect? Please describe Yahoo!’s efforts to identify and provide notice to these users.”
  • “With respect to the aforementioned incidents, what type of data does Yahoo! believe to have been compromised? Does the data include sensitive personal information?”
  • “What steps has Yahoo! taken to identify and mitigate potential consumer harm associated with these incidents?”
  • “What steps has Yahoo! taken to restore the integrity and enhance the security of its systems in the wake of these incidents?”
  • “In addition to answering these questions, please provide a detailed timeline of these incidents, including Yahoo!’s initial discovery of a potential compromise of its user information, forensic investigation and subsequent security efforts, notifications to law enforcement agencies, as well as any notification to affected consumers.”

The Senators requested that Ms. Mayer answer these questions no later than February 23, 2017, but it is unclear if she complied.

If not, it may take a trial to uncover the answers.

How to Protect Yourself from Data Breaches

In general, the best way to protect yourself from data breaches is to use a strong and unique password for each account or website. (Apps like LastPass help store them for you.) Don’t recycle passwords or use the same one for years on end. Don’t make your password your birthday, “Password123,” or something like “dadada.”

Set up multi-step verification whenever possible, and cover your PIN when you enter it at stores or ATMs. All of these measures can help protect you and your identity in the event of a breach.

Data Breach Lawsuit Eligibility

If you were impacted by the Yahoo data breach, you will automatically be a member of this class and do not need to sign up to join the lawsuit.

Check regularly to stay up to date on the data breaches that may affect you.

Did you find what you need?