Yahoo is being taken to court by a user who accused the internet company of gross negligence in conjunction with a massive 2014 hack in which information was stolen from at least 500 million accounts.
The lawsuit was filed at a United States federal court in San Jose, California, one day after Yahoo disclosed the hack, by what it believed was a "state-sponsored actor."
Ronald Schwartz, a New York resident, sued on behalf of all Yahoo users in the United States whose personal information was compromised. The lawsuit seeks class-action status and unspecified damages.
A Yahoo spokeswoman said the company does not discuss pending litigation.
The attack could complicate CEO Marissa Mayer's effort to shore up the website's flagging fortunes, two months after she agreed to a US$4.8 billion (A$6.7 billion) sale of Yahoo's internet business to US telco Verizon Communications.
Yahoo on Thursday said user information including names, email addresses, phone numbers, birth dates and encrypted passwords were compromised in late 2014.
But the lawsuit suggested that the breach might have been warded off had Yahoo, having been targeted by hackers before, lived up to its promise of taking user privacy "seriously" and bulked up its security measures.
It also faulted Yahoo for taking roughly three times longer than organisations typically need to uncover the breach.
Yahoo demonstrated "reckless disregard for the security of its users' personal information that it promised to protect," according to the complaint.