A US judge has ruled that Yahoo must face nationwide litigation brought on behalf of over 1bn users who said their personal information was compromised in three data breaches, Reuters reports. While the breaches occurred between 2013 and 2016, Yahoo did not reveal that the first one had happened until 2016.

US District Judge Lucy Koh rejected Yahoo’s contention that breach victims lacked standing to sue, and said they could pursue breach of contract and unfair competition claims. In its submissions, Yahoo had argued that the breaches were “a triumph of criminal persistence” by a “veritable ‘who’s who’ of cybercriminals,” adding that no security system is hack-proof.

The judge said that some plaintiffs alleged they had spent money to thwart future identity theft, while others alleged that fraudsters had misused their data. Had Yahoo not been so tardy in disclosing the breaches, the judges added, some plaintiffs could have changed passwords or cancelled their accounts to prevent losses. And while many claims were dismissed, Judge Koh said the plaintiffs could amend their complaint to address her concerns.

Yahoo is now part of Verizon, which paid $4.76bn (£3.67bn) for Yahoo’s internet business in June.