[BreachExchange] Yahoo agrees $50M settlement package for users hit by massive security breach

Destry Winant destry at riskbasedsecurity.com
Wed Oct 24 10:42:55 EDT 2018


One of the largest consumer internet hacks has bred one of the largest
class action settlements after Yahoo  agreed to pay $50 million to
victims of a security breach that’s said to have affected up to 200
million U.S. consumers and some three billion email accounts

In what appears to be the closing move to the two-year-old lawsuit,
Yahoo — which is now part of Verizon’s Oath business [which is the
parent company of TechCrunch] — has proposed to pay $50 million in
compensation to an estimated 200 million users in the U.S. and Israel,
according to a court filing.

In addition, the company will cover up to $35 million on lawyer fees
related to the case and provide affected users in the U.S. with credit
monitoring services for two years via AllClear, a package that would
retail for around $350. There are also compensation options for small
business and individuals to claim back costs for losses associated
with the hacks. That could include identity theft, delayed tax refunds
and any other issues related to data lost at the hands of the
breaches. Finally, those who paid for premium Yahoo email services are
eligible for a 25 percent refund.

The deal is subject to final approval from U.S. District Judge Lucy
Koh of the Northern District of California at a hearing slated for
November 29.

Since Yahoo is now part of Oath, the costs will be split 50-50 between
Oath and Altaba,  the holding company that owns what is left of Yahoo
following the acquisition. Altaba last month revealed it had agreed to
pay $47 million to settle three legal cases related to the landmark
security breach.

Yahoo estimates that three billion accounts were impacted by a series
of breaches that began in 2013. The intrusion is believed to have been
state-sponsored attack by Russia, although no strong evidence has been
provided to support that claim.

The incident wasn’t reported publicly until 2016, just months after
Verizon announced that it would acquire Yahoo’s core business in a
$4.8 billion deal.

At the time, Yahoo estimated that the incident had affected “at least”
500 million users but it later emerged that data on all of Yahoo’s
three billion users had been swiped. A second attack a year later
stole information that included email and passwords belonging to 500
million Yahoo account holders. Unsurprisingly, the huge attacks saw
Verizon negotiate a $350 million discount on the deal.

More information about the BreachExchange mailing list