In re Yahoo! Inc.

• Decision Date: 30 August 2017
• Docket Number: Case No. 16-MD-02752-LHK
• Parties: IN RE: YAHOO! INC. CUSTOMER DATA SECURITY BREACH LITIGATION
• Court: U.S. District Court — Northern District of California

IN RE: YAHOO! INC. CUSTOMER DATA SECURITY BREACH LITIGATION

Case No. 16-MD-02752-LHK

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION

August 30, 2017

ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS

Re: Dkt. No. 94

Plaintiffs Kimberly Heines, Hashmatullah Essar, Paul Dugas, Matthew Ridolfo, Deana Ridolfo, Rajesh Garg, Scarleth Robles, Maria Corso, Jose Abitbol, Yaniv Rivlin, Mali Granot, and Brian Neff (collectively, "Plaintiffs") bring a putative class action against Defendant Yahoo! Inc. ("Yahoo"). Plaintiff Brian Neff also brings a putative class action against Defendant Aabaco Small Business, LLC ("Aabaco") (collectively with Yahoo, "Defendants").

Before the Court is Defendants' motion to dismiss Plaintiffs' Consolidated Class Action Complaint ("CCAC"). ECF No. 94 ("Mot."). Having considered the parties' submissions, the relevant law, and the record in this case, the Court hereby GRANTS in part and DENIES in part the motion to dismiss.

I. BACKGROUND

A. Factual Background

Defendant Yahoo was founded in 1994 and has since grown into a source for internet searches, email, shopping, news and many other internet services. CCAC ¶ 24. One of Yahoo's most important services is Yahoo Mail, a free email service. Id. ¶ 25. Plaintiffs allege that "[m]any users have built their digital identities around Yahoo Mail, using the service for everything from their bank and stock trading accounts to photo albums and even medical information." Id.

Yahoo also offers online services for small business, including website hosting and email services (hereinafter, "Small Business Services"). Id. ¶ 29. Users must pay for Small Business Services, and users are required to provide credit or debit card information for automatic monthly payments for Small Business Services. Id. Prior to November 2015, Yahoo provided these services through a division called Yahoo Small Business. Id. "Since November 2015, Yahoo has provided its small business services through its wholly owned subsidiary Aabaco." Id.

Plaintiffs allege that in order to obtain email services and Small Business Services from Defendants, users are required to provide personal identification information ("PII") to Defendant. This PII includes the user's name, email address, birth date, gender, ZIP code, occupation, industry, and personal interests.¹ CCAC ¶¶ 1, 32. For some Yahoo accounts, including the small business accounts, users are required to submit additional PII, including credit or debit card numbers and other financial information. Id ¶ 32.

In addition to the PII that Plaintiffs submitted directly to Defendants, Plaintiffs also allege that users used their Yahoo email accounts to send and receive a variety of personal information. Each named Plaintiff alleges that he or she included sensitive PII in the content of his or her Yahoo emails. The individual allegations of the named Plaintiffs, including allegations regarding the personal information that these named Plaintiffs included in their Yahoo email accounts, are discussed further below.

1. Earlier 2012 Data Breach Putting Yahoo on Notice of Data Security Issues

Plaintiffs allege that Defendants have a long history of data security failures that should have put Defendants on notice of the need to enhance their data security. For example, although the Federal Trade Commission found as early as 2003 that "SQL injection attacks" were a known and preventable data security threat, "[i]n 2012, Yahoo admitted that more than 450,000 user accounts were compromised through an SQL injection attack—with the passwords simply stored in plain text." Id. ¶ 47-48. Plaintiffs allege that according to news stories at the time, "[s]ecurity experts were befuddled ... as to why a company as large as Yahoo would fail to cryptographically store the passwords in its database. Instead, [the passwords] were left in plain text, which means a hacker could easily read them." Id.

According to Plaintiffs, the 2012 hackers intended the 2012 attack as a wake-up call, and the hackers left a message stating "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat . . . There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly." Id ¶ 49. However, despite this warning, Plaintiffs allege that "Yahoo's internal culture actively discouraged emphasis on data security." Id. ¶ 50. Plaintiffs allege that "former Yahoo security staffers interviewed later told Reuters that requests made by Yahoo's security team for new tools and features such as strengthened cryptography protections were, at times, rejected on the grounds that the requests would cost too much money, were too complicated, or were simply too low a priority." Id. ¶ 50.

2. Three Data Breaches at Issue in the Instant Case

The instant lawsuit involves three data breaches that occurred between 2013 and 2016. According to Plaintiffs, Defendants represented to users that users' accounts with Defendants were secure. For example, Yahoo's website stated that "protecting our systems and our users' information is paramount to ensuring Yahoo users enjoy a secure user experience and maintaining our users' trust" and that "[w]e have physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you." Id. ¶ 34. Similarly, Aabaco'swebsite stated that "[w]e have physical, electronic, and procedural safeguards that comply with federal regulations to protect your Personal Information." Id. ¶ 35. Nonetheless, despite these representations, Plaintiffs allege that Defendants did not use appropriate safeguards to protect users' PII and that Plaintiffs' PII was thus exposed to hackers who infiltrated Defendants' systems. Specifically, Plaintiffs allege three separate data breaches: a breach that occurred in 2013, a breach that occurred in 2014, and a "forged cookie breach" that occurred in 2015 and 2016. The Court refers to these breaches collectively as the "Data Breaches." The Court discusses each below.

a. The 2013 Breach

The first breach occurred in August 2013 ("2013 Breach"). Id. ¶ 56. At that time, hackers gained access to more than one billion Yahoo accounts and stole users' Yahoo login, country code, recovery e-mail, date of birth, hashed passwords, cell phone numbers, and zip codes. Id. Plaintiffs allege that this 2013 Breach was particularly egregious "given the fact that 1 billion accounts were compromised, when there are only 3 billion people with Internet access in the world." Id. ¶ 59 (internal quotation marks and brackets omitted).

Significantly, the 2013 Breach also gave hackers access to the contents of users' emails, and thus exposed any PII or other sensitive information that users included in the contents of their emails. Id. Plaintiffs allege that users used their Yahoo emails for a variety of personal and financial transactions, and thus that Yahoo email accounts contained "records involving credit cards, retail accounts, banking, account passwords, IRS documents, and social security numbers from transactions conducted by email, in addition to other confidential and sensitive information contained therein." Id. ¶ 1.

Yahoo did not disclose the fact of the 2013 Breach until December 14, 2016, over three years after the 2013 Breach occurred in August 2013. Id. ¶ 78. Plaintiffs allege that the 2013 Breach occurred because Yahoo did not timely move away from an outdated encryption technology known as MD5. Id. ¶ 53. According to Plaintiffs, it was widely recognized in the data security industry long before the 2013 Breach that MD5 was "cryptographically broken and unsuitable for further use." Id. ¶ 55. Nevertheless, Yahoo did not begin to upgrade from MD5until the summer of 2013. Id. ¶¶ 54-55. Plaintiffs allege, however, that Yahoo's move from MD5 in the summer of 2013 was too late to prevent the 2013 Breach. Id. ¶¶ 54-55.

b. The 2014 Breach

The second breach occurred in late 2014 ("2014 Breach"). Plaintiffs allege that "the 2014 breach began with a 'spear phishing' email campaign sent to upper-level Yahoo employees. One or more of these employees fell for the bait, and Yahoo's data security was so lax, that this action was enough to hand over the proverbial keys to the kingdom." Id. ¶ 91. Through this attack, hackers gained access to at least 500 million Yahoo user accounts. Id. ¶ 62. Many of the accounts breached in the 2014 Breach were accounts that had previously been breached in the 2013 Breach. Id. ¶ 63. In its motion to dismiss, Yahoo states that it received evidence from law enforcement that the criminal intruders responsible for the 2013 Breach were unrelated to the perpetrators of the 2014 Breach. See Mot. at 19.²

According to Plaintiffs, in August 2016, hackers posted for sale on the dark web the personal information of 200,000,000 Yahoo users. Id. ¶ 70. Plaintiffs also allege that "a geographically dispersed hacking group based in Eastern Europe managed to sell copies of the database to three buyers for $300,000 apiece months before Yahoo disclosed the 2014 Breach." Id. ¶ 71.

Plaintiffs allege that Yahoo knew about the 2014 Breach as it was happening, but that Yahoo did not publicly disclose the existence of the 2014 Breach until September 22, 2016, approximately two years later. Plaintiffs allege that Yahoo's announcement of the 2014 Breach "came just two months after Yahoo announced Verizon's plan to acquire its operating assets, and just weeks after Yahoo reported to the SEC that it knew of no incidents of unauthorized access of personal data that might adversely affect the potential acquisition." Id. ¶ 73. Significantly, Plaintiffs allege that Yahoo delayed notifying users or the public about the 2014 Breach while "Yahoo solicited offers to buy the company. Reportedly, Yahoo wanted the offers in...