A judge has rejected Yahoo’s attempt to draw a line under a series of breaches it experienced between 2013 and 2016.
The firm had proposed a payout to lawyers acting on behalf of affected US and Israeli users.
But while the deal said the attorneys could claim up to $37.5m (£28.5m) in fees and costs, it did not disclose the sum reserved for victims.
The California judge also objected to Yahoo being too vague about what remedial steps it was taking.
Details of the ruling were first reported by the Courthouse News Service, which has also published the decision in full.
Dark web sale
Judge Lucy Koh has form in dealing with contentious cases involving tech giants.
She previously oversaw a high-profile patent dispute between Apple and Samsung, and has also presided over headline-making cases involving YouTube, Qualcomm and Tesla.
The Yahoo class action lawsuit specifically covers three data breaches that affected the web portal’s users’ personal information:
- a 2013 event in which hackers were able to access all 3 billion Yahoo accounts
- a 2014 attack, which the firm said had affected more than 500 million accounts
- a breach that happened between 2015-16, in which the plaintiffs allege that the data stolen in 2014 was used to gain access to specific user accounts
The lawyers pursuing the case noted that Yahoo had repeatedly delayed notifying the public of the incidents until some time after it had become aware of them.
In one instance, the business acknowledged it had paid for data from millions of its hacked accounts that had been advertised on the dark web, but disputed claims that it had failed to prevent the information being purchased by others.
Among the evidence presented to the court was a report submitted by the plaintiffs that alleged there had been further breaches dating back to 2008 involving “several million accounts”, which Judge Koh noted that Yahoo continued to deny.
Yahoo was taken over by the telecoms firm US Verizon in 2017 in a $4.5bn deal.
The judge first expressed reservations about the settlement at a hearing in November, when she complained that she had been unable to “figure out the total estimated sum” being promised.
And on Monday, she formally rejected the deal.
Her ruling set out several objections.
Firstly, Judge Koh said she was dissatisfied that it released Yahoo from having to make further payouts related to breaches prior to 2013.
Since the firm had not admitted to any such events, the judge said the court was unable to evaluate what harm might have been experienced by users.
Judge Koh added that a failure to disclose the total size of the settlement fund meant that those affected would be unable to determine if it was reasonable.
In addition, she expressed concern that the sum that could be claimed by the 140 lawyers pursuing the case “may be unreasonably high”.
The judge also claimed Yahoo had publicly declared an “inflated, inaccurate” estimate of the number of users affected while filing under seal – meaning it does not become part of the public record – “a more accurate, much smaller number”.
This might reduce the amount that could be claimed by each victim and act as a disincentive to them seeking recompense.
Furthermore, the judge criticised the tech firm for making only “vague commitments” to improve its cyber-security.
“Yahoo’s history of non-disclosure and lack of transparency related to the data breaches are egregious,” Judge Koh concluded.
“Unfortunately, the settlement [and related filings] continue this pattern of lack of transparency.”
Her refusal to accept the deal means the two sides will have to consider new terms.
A spokesman for Verizon said it did not discuss pending litigation.
The plaintiffs’ lead law firm has not responded to a request for comment.