Verizon has hit a setback in its efforts to limit potential liability from massive Yahoo data breaches.

On Wednesday, U.S. District Judge Lucy Koh in San Jose, California ruled that Yahoo must face litigation related to the breaches that affected more than 1 billion users, who assert their personal information was compromised.

In February Verizon slashed $350 million from its original $4.83 billion offer to acquire Yahoo in the wake of revelations about multiple massive data breaches. Since the deal closed in June, Verizon has made Yahoo a part of its Oath unit.

The first breach in 2013 affected more than 1 billion accounts, and was followed by a second in 2014, which affected more than 500 million. In 2015 and 2016 a third breach occurred. Despite the scale, Yahoo waited three years before revealing the first.

Yahoo had contended that victims of the breach didn’t have standing to sue. However, Koh rejected that stance, saying plaintiffs could pursue breach of contract and unfair competition claims.

“All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information,” she wrote.

She noted that some victims allege they’ve spent money to prevent future identity theft, while others could have changed their passwords or canceled accounts if Yahoo hadn’t been so slow to disclose their breaches.

Certain claims were dismissed but the judge said plaintiffs could amend their filing to address deficiencies.

John Yanchunis, a lawyer for the plaintiffs who chairs an executive committee overseeing the case told Reuters: “We believe it to be a significant victory for consumers, and will address the deficiencies the court pointed out. It’s the biggest data breach in the history of the world.”

Yahoo for its part, had argued that the breaches were “a triumph of criminal persistence,” and contend that no security system is hack-proof.