A US judge has ruled Yahoo must face nationwide litigation brought on behalf of well over 1 billion users who said their personal information was compromised in massive data breaches.

The lawsuit concerns two major breaches: one that occurred in 2013 that impacted more than a billion users, and another in late 2014 that affected at least 500 million accounts. in December, a judicial panel consolidated five putative class action suits that sought to represent account holders who had e-mails, passwords, and other sensitive information compromised.

Yahoo sought to dismiss the lawsuit, saying that victims didn’t have the legal standing to bring the case, an assertion that US District Judge Lucy Koh rejected. In her decision, she wrote that “All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information.” Koh said some plaintiffs also alleged they had spent money to thwart future identity theft or that fraudsters had misused their data. Koh did dismiss some claims, and is giving the plaintiffs the opportunity to amend their complaint against Yahoo.

“We believe it to be a significant victory for consumers, and will address the deficiencies the court pointed out,” John Yanchunis, a lawyer for the plaintiffs who chairs an executive committee overseeing the case, said. “It’s the biggest data breach in the history of the world.”

The ruling is a blow to Verizon, which now owns Yahoo. Verizon spokesman Bob Varettoni said the company declined to comment on pending litigation. Verizon reduced its acquisition offer by $350 million following the disclosure of the breaches, purchasing the site for $4.48 billion in cash.

In court papers, Yahoo had argued that the breaches were “a triumph of criminal persistence” by a “veritable ‘who’s who’ of cybercriminals,” and that no security system is hack-proof.