Yahoo is being sued over a cyberattack which resulted in data being stolen from 500 million users.
The US internet firm said the hack, which affected eight million user accounts in the UK, was carried out by a “state sponsored actor”.
Ronald Schwartz, from New York, has accused Yahoo of gross negligence and filed a lawsuit on behalf of all users in the US whose personal information was compromised.
Mr Schwartz’s lawsuit, which seeks unspecified damages, claims that Yahoo demonstrated “reckless disregard for the security of its users’ personal information that it promised to protect”.
It adds that Yahoo could have prevented the breach if it had improved its security measures.
A Yahoo spokesperson declined to comment on the lawsuit.
The firm has said that user information including names, email addresses, phone numbers, birth dates and encrypted passwords were compromised after the hack in late 2014.
It insisted unprotected passwords, payment card data and bank account information was safe.
Users who might be affected are to be contacted by Yahoo, asked to change their passwords, and to use other ways of verifying their account.
The Information Commissioner’s Office described the scale of the breach as “staggering”.
Information Commissioner Elizabeth Denham added: “We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data.
“People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find.”
There was speculation that the fallout from the hack may have implications for Verizon’s $4.8bn (£3.7bn) purchase of Yahoo.
In a statement, Verizon said: “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”
Richard Blumenthal, a Democrat senator from Connecticut, has called on regulators to investigate “whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation”