A US district court judge cleared the way for Yahoo users to sue over a massive 2013 data breach which impacted 3 billion accounts, despite an effort by Verizon to have the claims dismissed.

In the wake of the hack, users argued in court the company should have acted sooner to disclose the data breaches and claimed the company put them at risk of identity theft. Though Judge Lucy Koh dismissed some user claims for lacking merit, she let stand claims accusing Yahoo of negligence, deceit by concealment and breach of contract.

In her decision she noted the “plaintiffs’ allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System”. She added users can argue Yahoo’s liability limits in its service agreement are “substantively unconscionable” since the company “took minimal action despite knowing about their inadequate security measures”.

Yahoo unveiled its first hack in October 2016 and followed in December 2016 with news of a second, larger breach impacting 1 billion users. The news allowed Verizon to whittle down its purchase price by some $350 million to $4.48 billion and the company completed its acquisition of Yahoo in June 2017.

Just a few months later, the company revealed the second hack was larger than first though and, in fact, impacted all 3 billion Yahoo user accounts.

US prosecutors have pinned the 2013 incident on two hackers working in collaboration with two Russian agents.